A patch has been committed to the package svn tree to fix handling of cipher lists, which leaves this issue:
On Tue, Jan 29, 2008 at 11:09:32AM -0800, Steve Langasek wrote: > I'm not sure if we should also try to migrate the OpenSSL-specific cipher > specs to GNUTLS equivalents as part of the package upgrade. I had a poke around http://www.openssl.org/docs/apps/ciphers.html, which lists all the various keywords recognized by OpenSSL. Mapping these onto the known GnuTLS ciphers using 'openssl ciphers -v' and 'gnutls-cli -l', here's what I get: MEDIUM -> TLS_ANON_DH_ARCFOUR_MD5:TLS_RSA_ARCFOUR_SHA1:TLS_RSA_ARCFOUR_MD5 HIGH -> TLS_ANON_DH_AES_256_CBC_SHA1:TLS_DHE_RSA_AES_256_CBC_SHA1:TLS_DHE_DSS_AES_256_CBC_SHA1:TLS_RSA_AES_256_CBC_SHA1:TLS_ANON_DH_AES_128_CBC_SHA1:TLS_DHE_RSA_AES_128_CBC_SHA1:TLS_DHE_DSS_AES_128_CBC_SHA1:TLS_RSA_AES_128_CBC_SHA1:TLS_ANON_DH_3DES_EDE_CBC_SHA1:TLS_DHE_RSA_3DES_EDE_CBC_SHA1:TLS_DHE_DSS_3DES_EDE_CBC_SHA1:TLS_RSA_3DES_EDE_CBC_SHA1 LOW -> empty list DEFAULT: MED+HIGH, w/o ANON_DH, w/ TLS_RSA_EXPORT_ARCFOUR_40_MD5 EXP,EXPORT,EXPORT40 -> TLS_RSA_EXPORT_ARCFOUR_40_MD5 eNULL,NULL -> TLS_RSA_NULL_MD5 aNULL -> TLS_ANON_DH_AES_256_CBC_SHA1:TLS_ANON_DH_AES_128_CBC_SHA1:TLS_ANON_DH_3DES_EDE_CBC_SHA1:TLS_ANON_DH_ARCFOUR_MD5 SSLv2 -> empty list But this is only a partial list of the most relevant aliases; there are also aliases for each authentication, key exchange, and encryption algorithm, and OpenSSL supports various forms of negation and sorting that aren't supported here by GnuTLS. I'm pretty sure I don't want to implement support for migrating the full set of OpenSSL cipher specs in shell. :P Do you think converting the above aliases would be good enough coverage? Or do we need to provide some upgrade handling for all the possibilities, and therefore we're doomed to add yet another debconf error message here? In the latter case I'm probably not going to spend the effort on auto-migrating any of the values. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
