[Help-gnutls] Re: Default record version

[Simon Josefsson]

Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> Martin von Gagern wrote:
>
>>>> It seems that _gnutls_record_set_default_version would provide a way to
>>>> get the intended behaviour of an older record version but a recent
>>>> client hello version. That function doesn't seem to be intended as part
>>>> of the public interface of GnuTLS, though [3]. Why is that?
>>> It was meant as a hack to test for buggy servers that I mentioned above.
>>> I don't think it should be normally used. A better solution would be to
>>> have a priority string %RFC4346 that would enforce that behavior. What
>>> do you think on that?
>> 
>> The reference to RFC 4346 in your sentence confuses me, especially as I
>> see no reference to a "priority string" in that RFC. The only possible
>> interpretation of your suggestion would be to use a call to
>> gnutls_protocol_set_priority in order to disable TLS 1.1, thus enforcing
>> a TLS 1.0 record header and client hello.
>
> Hello,
>  What I meant is to have this %RFC4346 option in the priority string in
> order to specify that the way the client hello and first record version
> will be according to appendix E as you quoted before (lowest supported
> record version -SSL 3.0 and highest supported client hello version
> -TLS1.1). The priority string is gnutls specific and means the string
> you specify in the set_priority functions.

I think a priority string to configure this seems like a good idea,
however, please use a more descriptive name than %RFC4346 (which has
already been obsoleted by RFC 5246).  How about
%USE-TLS1.0-RECORD-VERSION?  And %USE-SSL3-RECORD-VERSION if we need to
be able to set both SSL 3.0 and TLS 1.0 record versions.

/Simon