From: Nikos Mavrogiannopoulos Date: Fri, 7 Feb 2014 07:45:48 +0000 (+0100) Subject: reduced security levels of SECURE128 and SECURE192 strings. X-Git-Tag: gnutls_3_3_0pre0~204 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f6143ecf2fccdcc315214dbdd743ec2438730d11;p=thirdparty%2Fgnutls.git reduced security levels of SECURE128 and SECURE192 strings. --- diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index f819417d61..f5a274c753 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -705,8 +705,8 @@ int check_level(const char *level, gnutls_priority_t priority_cache, func(&priority_cache->supported_ecc, supported_ecc_secure192); - SET_PROFILE(GNUTLS_PROFILE_ULTRA); - SET_LEVEL(GNUTLS_SEC_PARAM_ULTRA); + SET_PROFILE(GNUTLS_PROFILE_HIGH); + SET_LEVEL(GNUTLS_SEC_PARAM_HIGH); return 1; } else if (strcasecmp(level, LEVEL_SECURE128) == 0 || strcasecmp(level, "SECURE") == 0) { @@ -717,8 +717,11 @@ int check_level(const char *level, gnutls_priority_t priority_cache, func(&priority_cache->supported_ecc, supported_ecc_secure128); - SET_PROFILE(GNUTLS_PROFILE_HIGH); - SET_LEVEL(GNUTLS_SEC_PARAM_HIGH); + /* The profile should have been HIGH but if we don't allow + * SHA-1 (80-bits) as signature algorithm we are not able + * to connect anywhere with this level */ + SET_PROFILE(GNUTLS_PROFILE_LOW); + SET_LEVEL(GNUTLS_SEC_PARAM_LOW); return 1; } else if (strcasecmp(level, LEVEL_SUITEB128) == 0) { func(&priority_cache->protocol, protocol_priority_suiteb);