GnuTLS, OpenSSL support for TLS1.1, 1.2
Simon Josefsson
simon at josefsson.org
Fri Jan 29 14:54:39 CET 2010
Vivek Dasmohapatra <vivek at collabora.co.uk> writes:
>> I don't see anything beyond TLSv1.0 in /usr/include/openssl/tls1.h on my
>> system. If you have any more reliable information, please let us know.
>
> I ran up against a buggy proprietary server which a user reported
> didn't work with our GnuTLS backend but did with OpenSSL - turned out
> to be because the server exploded in a messy fireball if it saw a
> minor version
> of the protocol in the client hello that it didn't know about, instead of
> responding with the highest protocol level it supported
That's not unusual. Check the GnuTLS manual on how to make GnuTLS just
talk TLS 1.0 if you can't fix that server.
> (analysed with ssltap from libnss3 - is there an equivalent from
> GnuTLS, btw?):
There is gnutls-cli, but I don't know how it compares.
> The OpenSSL verssion worked because it only ever advertised TLS1.0,
> and I couldn't find any reference to making it advertise a higher
> version of the protocol. Not conclusive, but it does point to OpenSSL
> not implementing TLS 1.1 or 1.2 (at least in any documented,
> on-by-default way).
Right.
/Simon
More information about the Gnutls-devel
mailing list