[gnutls-devel] GnuTLS priority string bug with *-ALL
nmav at gnutls.org
Fri Jul 19 17:29:43 CEST 2013
On 07/18/2013 11:33 AM, Stefan Bühler wrote:
> adding catch-alls doesn't add but replaces the list.
> * "NONE:+COMP-DEFLATE:+COMP-ALL" - no deflate, only COMP-NULL
> * "NONE:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-DTLS-ALL" - only DTLS1.0 and
> I think replacing _set_priority with _add_priority as bulk_fn in
> gnutls_priority_init (lib/gnutls_priority.c:~900) should fix this.
I'm adding it to my todo list. I need to combine that with some
automated tests that verify that priorities have been correctly been
added/sorted. That would prevent any future introduction of bugs like
this one, or the one you previously reported.
> Naming them "catch-alls" is misleading anyway, as not all *-ALL sets
> actually represent the complete list; sadly neither this fact nor the
> actual list a *-ALL represents is documented officially.
> Also the manual is outdated; it misses some keywords.
> The doc for gnutls_cipher_set_priority says that server order doesn't
> matter, but with %SERVER_PRECEDENCE it does.
Indeed. Please feel free to update the documentation and send any
patches. I've added that to my todo list, but currently that's filled up
with other unrelated stuff.
> Also it would be nice if all lists would be accesible through the API
> (like gnutls_priority_protocol_list; missing cipher, mac and kx lists).
> See gnutls-priority.c at https://gist.github.com/stbuehler/5693466
I thought that having the actual ciphersuite list with
gnutls_priority_get_cipher_suite_index() would be more interesting for
the priority structure. I could add more functions to access this
structure, but would they be more interesting than the ciphersuite?
> http://blog.lighttpd.net/gnutls-priority-strings.html is an online
> version of gnutls-priority.c the way I think it should work :)
I think this agrees with the intention.
More information about the Gnutls-devel