<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>
GitLab
</title>


<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<div></div>
<p dir="auto">If a server calls <code>gnutls_priority_set</code> in a post client hello function the handshake breaks unless both peers support TLS 1.3. This breaks servers that allow virtual hosts (using SNI) that may have different priority settings because they have to load the right priorities after parsing the SNI.</p>
<p dir="auto">I discovered the problem while testing mod_gnutls with <strong>GnuTLS 3.6.4</strong> (at commit <a href="https://gitlab.com/gnutls/gnutls/commit/1c0b4baa6a88bfb79a30eb6fb7c579688d40034e" data-original="1c0b4baa6a88bfb79a30eb6fb7c579688d40034e" data-link="false" data-link-reference="false" data-project="179611" data-commit="1c0b4baa6a88bfb79a30eb6fb7c579688d40034e" data-reference-type="commit" data-container="body" data-placement="bottom" title="released 3.6.4" class="gfm gfm-commit has-tooltip">1c0b4baa</a>).</p>
<h2 dir="auto">
<a id="user-content-steps-to-reproduce" class="anchor" href="#steps-to-reproduce" aria-hidden="true"></a>Steps to Reproduce:</h2>
<ol dir="auto">
<li>Compile <a href="https://gitlab.com/gnutls/gnutls/uploads/ea95edee70927b2d3315e53fd007a020/prio-issue-repro.c">prio-issue-repro.c</a> (slightly modified version of the echo server example <code>doc/examples/ex-serv-x509.c</code>)</li>
<li>Run the binary (expects a certificate <code>server/x509.pem</code> and private key <code>server/secret.key</code>) and try the following client commands.</li>
<li><code>gnutls-cli -p 5556 localhost --insecure --priority=NORMAL</code></li>
<li><code>gnutls-cli -p 5556 localhost --insecure --priority=NORMAL:-VERS-TLS1.3</code></li>
</ol>
<p dir="auto">(<code>--insecure</code> just to ignore certificate validation)</p>
<h2 dir="auto">
<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>
<p dir="auto">The first <code>gnutls-cli</code> call connects successfully and you can use the echo server. The second one fails, the server logs <code>Handshake has failed (No supported cipher suites have been found.)</code></p>
<h2 dir="auto">
<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>
<p dir="auto">Both client commands should work. If you comment the <code>CHECK(gnutls_priority_set(session, *p));</code> line in the <code>hello_prio</code> function they do, which is why I believe the issue is triggered by <code>gnutls_priority_set</code>.</p>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">

<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/580">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/704a3d9d6ba154b0b392d87fb2d7fecd/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/580"}}</script>
</p>
</div>
</body>
</html>