libgnutls30 3.6.11.1-2ubuntu2 (Ubuntu 20.04) breaks pulseui client with error "Error performing TLS handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough)."

Status changed to 'Confirmed' because the bug affects multiple users.

There is no easy way to gracefully handle weak crypto. It has been known for more than five years that 1024 bit (or rather <2048 bit) DH primes need to be considered weak and should not be used - https://weakdh.org/ - GnuTLS > 3.2 does the right thing in having services which still have not taken action to use contemporary (non weak) crypto fail by default, so that users will become aware of the fact they are (were) connecting insecurely, and these services can be more easily identified and fixed.

In some cases, using clients (and software versions of client) which support higher TLS protocol versions can work around this problem (if remote servers support strong ciphers on higher TLS protocol versions; example: https://www.ssllabs.com/ssltest/analyze.html?d=mail.nhs.net&hideResults=on ).

It *may* be possible to continue to allow for insecure connections by setting the GnuTLS priority string to include LEGACY as per https://gnutls.org/manual/html_node/Priority-Strings.html

My University Account (NYU) uses Shibboleth. I was able to add that account to Online Accounts in 19.10 but it fails with this error in 20.04.

Are you saying that the minimal level of crypto changed between 19.10 and 20.04?

Thank you for the testing link.

https://www.ssllabs.com/ssltest/analyze.html?d=shibboleth.nyu.edu&hideResults=on

This server supports weak Diffie-Hellman (DH) key exchange parameters.
This server does not support Forward Secrecy with the reference browsers.
This server supports TLS 1.0 and TLS 1.1.

So, you are saying that unless the University upgrades on their end, I cannot connect from 20.04, correct?

I have the same problem with my company's email which uses the Rackspace Outlook 2016 Exchange service. Rackspace told me that they cannot change the DH key to a value higher than 1024 bits (which I don't believe) and they suggested that instead the company upgrades to some Office 365 service which supports a higher DH key size. So, at this moment I cannot use my company's Exchange E-mail from Evolution as I could in the past.

Sorry for pushing on this yet again, but since using the LEGACY setting does not resolve the issue, could the real bug possibly be that Online Accounts are not respecting that setting (which would be a big deal)?

As a workaround, can you try lowering the profile from MEDIUM [1] to LEGACY:

sudo mkdir /etc/gnutls
cat << EOF | sudo tee -a /etc/gnutls/config
[overrides]
default-priority-string = NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-DTLS1.2:%PROFILE_LEGACY
EOF

1: https://git.launchpad.net/ubuntu/+source/gnutls28/tree/debian/rules#n38

Oops, it should have been LOW, not LEGACY. Here it is again to avoid any confusion:

As a workaround, can you try lowering the profile from MEDIUM [1] to LOW [2]:

sudo mkdir /etc/gnutls
cat << EOF | sudo tee -a /etc/gnutls/config
[overrides]
default-priority-string = NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-DTLS1.2:%PROFILE_LOW
EOF

1: https://git.launchpad.net/ubuntu/+source/gnutls28/tree/debian/rules#n38
2: https://gnutls.org/manual/html_node/Selecting-cryptographic-key-sizes.html#Selecting-cryptographic-key-sizes

This worked for me! Thank you.

The issue there seems to be with the servers not up to current standard and what gnutls enforce, is there anything that needs to be done from the online accounts or evolution?

[Expired for gnome-online-accounts (Ubuntu) because there has been no activity for 60 days.]

[Expired for gnutls28 (Ubuntu) because there has been no activity for 60 days.]

[Expired for evolution (Ubuntu) because there has been no activity for 60 days.]