[libmicrohttpd] SSL handshake fails between libcurl and libgnutls/MHD

Daniel Stenberg daniel at haxx.se
Mon Jan 23 23:14:44 CET 2012


On Mon, 23 Jan 2012, Nikos Mavrogiannopoulos wrote:

> It doesn't look right. I'd change "-VERS-TLS-ALL:+VERS-SSL3.0" with 
> "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0".
>
> However your priority string seem quite radical. You only allow SSL 3.0.

That particular logic is only running when SSL 3.0 is explicitly asked for.

> If you care about interoperability I'd suggest a string similar to 
> http://www.gnu.org/software/gnutls/manual/html_node/Interoperability.html 
> but even then you have issues like being vulnerable to the "beast" attack.

I'm sorry but I'm not very familiar with SSL at a detailed protocol level. Can 
you please tell me how I can ask GnuTLS to use SSL 3.0 _without_ being 
vulnerable to something like the "beast" attack?

> btw. gnutls 3.0.12 added a check for gnutls_priority_set_direct() to fail if 
> given a string that adds no actual priorities (like the above).

Can I just mention that even after your correction I simply don't understand 
the string (and I even thought I copied the string I used from the gnutls 
manual) and it makes me slightly frustrated that the API makes it *that* easy 
to slip in a mistake that makes the application vulnerable to security 
problems. I have read the priority string section of the manual but I must be 
equipped with lesser brain cells than the humans that chapter is aimed for.

I realize creating APIs for ignorant users like me is hard and I certainly 
appreciate that more recent versions will reject very obvious stupidities...

-- 

  / daniel.haxx.se




More information about the Gnutls-devel mailing list