[gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Mon Jan 13 14:33:39 CET 2020

Nikos Mavrogiannopoulos commented:

> In terms of "default" built-ins, I'd love to be able to provide at configure time "disabled-versions" list. And for example, allow people to "reset" it by using "disabled-versions =" which would explicitly reset the list of disabled-versions back to none. This is similar to the ini-syntax that systemd units use to reset/override otherwise additive keys with system drop-ins.

But that would seem to me very restricted, as it focuses only in one aspect of settings (tls versions). The rest of the settings (algorithms, hashes, etc.) will not be covered, and that will lead to a piecemeal approach and feels to me that the handling of that disablement will become very complex if not unmanageable. For example with the patch you propose I see how I can disable TLS1.0 and TLS1.1 on configure time, but how do I do the same for SHA256? Even a version like TLS1.2 cannot be handled by the configure logic.

> I don't think enforcing the presence of the configuration file is sensible. Especially since until now, no config was provided or necessary.

True, I was not thinking about a universal requirement, but one that is asked during configure time. So distributions which require a config can do so.

> Or maybe I should just stop compiling in TLSv1.1 and lower, and just be done with it.

True. That may be a way out. I am not sure how far we can get for it. I know we could not convince the fedora community to move from TLS1.0 and TLS1.1. As long as browsers enable them, it would be very hard to differ from a library like gnutls.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157#note_270532318
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200113/f26f97b6/attachment-0001.html>

More information about the Gnutls-devel mailing list