[Help-gnutls] Default record version

[Martin von Gagern]

Hi!

I could use a bit of adivce regarding an issue in pidgin talking to MSN
servers, see http://developer.pidgin.im/ticket/3456 for the full report.

One of the MSN servers, 65.54.170.19, immediately terminates a
connection started by GnuTLS using TLS 1.1. When restricting the
protocol to TLS 1.0, the connection works all right. This behaviour can
be reproduced using gnutls-cli, and also shows up as a failed fallback
from TLS 1.1 in gnutls-cli-debug [1].

darkrain42 noticed that according to RFC4346 (TLS 1.1) Appendix E [2], a
TLS client should use an older record version for the sake of backwards
compatibility. And indeed, when using an older record version (SSL 3.0
or TLS 1.0) but indicating TLS 1.1 in the client hello, the connection
with the server in question can be established successfully.

My first question is this: is there a good reason that GnuTLS doesn't
indicate an older record version in accordance with appendix E by default?

It seems that _gnutls_record_set_default_version would provide a way to
get the intended behaviour of an older record version but a recent
client hello version. That function doesn't seem to be intended as part
of the public interface of GnuTLS, though [3]. Why is that?

Do you have any other suggestions as to how to achive backwards
compatibility with such servers without too much programming overhead,
and without denying more recent TLS versions in cases where both sides
can use them?

I'd appriciate your opinion on this.

Greetings,
 Martin von Gagern

[1] http://developer.pidgin.im/ticket/3456#comment:10
[2] http://tools.ietf.org/html/rfc4346#appendix-E
[3] http://developer.pidgin.im/ticket/3456#comment:22

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090215/cc34de05/attachment.pgp>