[gnutls-devel] RSA vs. DHE-RSA with default priority string
armin at arbur.net
Sun May 24 18:12:24 CEST 2015
I have a server  which allows use of DHE-RSA but does not enforce it.
It does not support any ECC, though.
When connecting with gnutls-cli from master (and 3.3), it chooses RSA
key exchange instead of DHE-RSA. I only get DHE-RSA when I specify
I compared this to gnutls-cli from gnutls 2.12.23: with the default
priority string, I get DHE-RSA. I could switch to RSA with
The behaviour of gnutls 2.12 seems more reasonable to me. How would I
make the current version of gnutls prefer DHE-RSA but still allow RSA if
the server does not support DH? I understand --priority=PFS completely
disables any non-PFS kx algorithms. I'd prefer not to hand-craft a
priority string that explicitly contains algorithm names, so that I stay
More information about the Gnutls-devel