[Help-gnutls] Default record version

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Feb 15 18:30:27 CET 2009

Martin von Gagern wrote:
> Hi!
> I could use a bit of adivce regarding an issue in pidgin talking to MSN
> servers, see http://developer.pidgin.im/ticket/3456 for the full report.
> One of the MSN servers,, immediately terminates a
> connection started by GnuTLS using TLS 1.1. When restricting the
> protocol to TLS 1.0, the connection works all right. This behaviour can
> be reproduced using gnutls-cli, and also shows up as a failed fallback
> from TLS 1.1 in gnutls-cli-debug [1].
> darkrain42 noticed that according to RFC4346 (TLS 1.1) Appendix E [2], a
> TLS client should use an older record version for the sake of backwards
> compatibility. And indeed, when using an older record version (SSL 3.0
> or TLS 1.0) but indicating TLS 1.1 in the client hello, the connection
> with the server in question can be established successfully.
> My first question is this: is there a good reason that GnuTLS doesn't
> indicate an older record version in accordance with appendix E by default?

This is tricky. There are other servers that do not operate well if the
client hello version does not match record version. This is the reason
why gnutls has this behavior. Of course this was noticed many years ago.
I don't know how many servers now have this problem.

> It seems that _gnutls_record_set_default_version would provide a way to
> get the intended behaviour of an older record version but a recent
> client hello version. That function doesn't seem to be intended as part
> of the public interface of GnuTLS, though [3]. Why is that?

It was meant as a hack to test for buggy servers that I mentioned above.
I don't think it should be normally used. A better solution would be to
have a priority string %RFC4346 that would enforce that behavior. What
do you think on that?


More information about the Gnutls-help mailing list