[gnutls-devel] GnuTLS | gnutls-serv and gnutls-client fail with "Detected downgrade to TLS 1.2 from TLS 1.3" (#837)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Mon Sep 23 16:30:22 CEST 2019




Richard Frith-Macdonald commented:


I kind of came to the same conclusion (the code is not wrong according to the spec).
However, it's not clear to me that the server *must* select the version in accordance with the client's preferred order, and it makes some sense from a security point of view for the server to select the newest/best version if the client offers more than one (as well as avoiding a situation where the user at the client end can accidentally configure a priority string which prevents client and server establishing a connection).
It appears that openssl servers select 1.3 in preference to 1.2 even when the client puts 1.2 before 1.3, and it may be no bad thing to behave in a compatible way.
Perhaps this could be viewed as a suggested possible improvement rather than a bug report?
If you think otherwise, I'll not complain should you decide to simply close the issue.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/837#note_220699740
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190923/0ad0519b/attachment.html>


More information about the Gnutls-devel mailing list