GnuTLS priority strings

Nikos Mavrogiannopoulos nmav at
Tue Apr 26 20:31:56 CEST 2011

On 04/25/2011 09:34 PM, Martin Lambers wrote:

>>> I tried to append ":-VERS-TLS-ALL:+VERS-SSL3.0" (e.g.
>>> "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0"), but this does not work: it still
>>> results in other TLS versions being enabled. Apparently later entries do
>>> not override previous entries. So how should this be done instead?
>> The way you describe is the correct one. If I try this priority string
>> to gnutls-cli of 2.12.3 I only see SSL 3.0 being advertised. Could
>> it be that you overwrite the priorities by calling some other priority
>> function later?
> Thanks for your help. The error was that I used "VERS-TLS-ALL" with
> GnuTLS 2.8.6, which silently ignored this. I then tried with GnuTLS
> 2.10.5 on a different system, and that complained about it. At that
> point did I realize that VERS-TLS-ALL is only available in GnuTLS 2.12.x...
> So now I append ":-VERS-TLS-ALL:+VERS-SSL3.0" with GnuTLS >= 2.12, and
> ":-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:+VERS-SSL3.0" with GnuTLS <
> 2.12, and this seems to work fine.

If you do this for compatibility you might want to try "NORMAL:%COMPAT"
instead of disabling protocol versions (if you are a server). If you
are a client you might want to disable TLS 1.1 and TLS 1.2 as a
number of servers refuse to talk if presented with version numbers
they don't understand. I'm not aware though of any server having
issues with TLS 1.0.


More information about the Gnutls-help mailing list