GnuTLS priority strings

Martin Lambers marlam at
Mon Apr 25 21:34:29 CEST 2011

Hi Nikos,

On 25/04/11 21:13, Nikos Mavrogiannopoulos wrote:
> On 04/25/2011 08:57 PM, Martin Lambers wrote:
>> I have some trouble with priority strings since
>> gnutls_protocol_set_priority() is deprecated:
>> Both msmtp and mpop can pass user-specified priority strings to GnuTLS,
>> and both also provide the independent option to force SSLv3.
>> Up until now, I could specifiy the priority string with
>> gnutls_priority_set_direct() and subsequently use
>> gnutls_protocol_set_priority() to force SSLv3, and this worked as expected.
>> To avoid using a deprecated function, I now need to force SSLv3 by
>> extending a given priority string.
>> I tried to append ":-VERS-TLS-ALL:+VERS-SSL3.0" (e.g.
>> "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0"), but this does not work: it still
>> results in other TLS versions being enabled. Apparently later entries do
>> not override previous entries. So how should this be done instead?
> The way you describe is the correct one. If I try this priority string
> to gnutls-cli of 2.12.3 I only see SSL 3.0 being advertised. Could
> it be that you overwrite the priorities by calling some other priority
> function later?

Thanks for your help. The error was that I used "VERS-TLS-ALL" with
GnuTLS 2.8.6, which silently ignored this. I then tried with GnuTLS
2.10.5 on a different system, and that complained about it. At that
point did I realize that VERS-TLS-ALL is only available in GnuTLS 2.12.x...

So now I append ":-VERS-TLS-ALL:+VERS-SSL3.0" with GnuTLS >= 2.12, and
":-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:+VERS-SSL3.0" with GnuTLS <
2.12, and this seems to work fine.


More information about the Gnutls-help mailing list