[gnutls-devel] GnuTLS | DTLS priority enables TLS1.2 (#1054)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Tue Jul 28 12:11:06 CEST 2020
Miroslav Lichvar created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1054
## Description of problem:
On a TLS server, I'd like to disable all TLS versions before TLSv1.3. When I set the priority to
```
NORMAL:-VERS-SSL3.0:-VERS-TLS1.2:-VERS-TLS1.0:-VERS-TLS1.1
```
it seems clients can still connect using TLS1.2. But when I add there `-VERS-DTLS-ALL`, it works as expected. If DTLS1.0 or DTLS1.2 is enabled, the server allows the client to use TLS1.2. I think that's unexpected, or at least I couldn't find an explanation in the documentation.
## Version of gnutls used:
gnutls-3.6.14
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Fedora
## How reproducible:
Always
Steps to Reproduce:
* gnutls-serv --x509keyfile=server.key --x509certfile=server.crt --priority="NORMAL:-VERS-TLS1.2:-VERS-TLS1.0:-VERS-TLS1.1"
* gnutls-cli server.example.net -p 5556 --priority="NORMAL:-VERS-ALL:+VERS-TLS1.2"
## Actual results:
Handshake completed
## Expected results:
Handshake failed
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1054
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200728/7506ba5b/attachment.html>
More information about the Gnutls-devel
mailing list