There is no easy way to gracefully handle weak crypto. It has been known for more than five years that 1024 bit (or rather <2048 bit) DH primes need to be considered weak and should not be used - https://weakdh.org/ - GnuTLS > 3.2 does the right thing in having services which still have not taken action to use contemporary (non weak) crypto fail by default, so that users will become aware of the fact they are (were) connecting insecurely, and these services can be more easily identified and fixed.
In some cases, using clients (and software versions of client) which support higher TLS protocol versions can work around this problem (if remote servers support strong ciphers on higher TLS protocol versions; example: https://www.ssllabs.com/ssltest/analyze.html?d=mail.nhs.net&hideResults=on ). It *may* be possible to continue to allow for insecure connections by setting the GnuTLS priority string to include LEGACY as per https://gnutls.org/manual/html_node/Priority-Strings.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1860461 Title: libgnutls30 3.6.11.1-2ubuntu2 (Ubuntu 20.04) breaks pulseui client with error "Error performing TLS handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough)." To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1860461/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
