GnuTLS priority strings

Nikos Mavrogiannopoulos nmav at
Mon Apr 25 21:13:49 CEST 2011

On 04/25/2011 08:57 PM, Martin Lambers wrote:
> Hi all,
> I have some trouble with priority strings since
> gnutls_protocol_set_priority() is deprecated:
> Both msmtp and mpop can pass user-specified priority strings to GnuTLS,
> and both also provide the independent option to force SSLv3.
> Up until now, I could specifiy the priority string with
> gnutls_priority_set_direct() and subsequently use
> gnutls_protocol_set_priority() to force SSLv3, and this worked as expected.
> To avoid using a deprecated function, I now need to force SSLv3 by
> extending a given priority string.
> I tried to append ":-VERS-TLS-ALL:+VERS-SSL3.0" (e.g.
> "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0"), but this does not work: it still
> results in other TLS versions being enabled. Apparently later entries do
> not override previous entries. So how should this be done instead?

The way you describe is the correct one. If I try this priority string
to gnutls-cli of 2.12.3 I only see SSL 3.0 being advertised. Could
it be that you overwrite the priorities by calling some other priority
function later?


More information about the Gnutls-help mailing list