GnuTLS priority strings
marlam at marlam.de
Tue Apr 26 23:24:56 CEST 2011
On 26/04/11 20:31, Nikos Mavrogiannopoulos wrote:
>>>> I tried to append ":-VERS-TLS-ALL:+VERS-SSL3.0" (e.g.
>>>> "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0"), but this does not work: it still
>>>> results in other TLS versions being enabled. Apparently later entries do
>>>> not override previous entries. So how should this be done instead?
>>> The way you describe is the correct one. If I try this priority string
>>> to gnutls-cli of 2.12.3 I only see SSL 3.0 being advertised. Could
>>> it be that you overwrite the priorities by calling some other priority
>>> function later?
>> Thanks for your help. The error was that I used "VERS-TLS-ALL" with
>> GnuTLS 2.8.6, which silently ignored this. I then tried with GnuTLS
>> 2.10.5 on a different system, and that complained about it. At that
>> point did I realize that VERS-TLS-ALL is only available in GnuTLS 2.12.x...
>> So now I append ":-VERS-TLS-ALL:+VERS-SSL3.0" with GnuTLS >= 2.12, and
>> ":-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:+VERS-SSL3.0" with GnuTLS <
>> 2.12, and this seems to work fine.
> If you do this for compatibility you might want to try "NORMAL:%COMPAT"
> instead of disabling protocol versions (if you are a server). If you
> are a client you might want to disable TLS 1.1 and TLS 1.2 as a
> number of servers refuse to talk if presented with version numbers
> they don't understand. I'm not aware though of any server having
> issues with TLS 1.0.
I'm a client, and I do this only if the user specified the force_sslv3
option. This option was added ca. 5 years ago to work around problems
with servers that were called "ancient" already at that time. I doubt
that it is still relevant today, but I don't want to remove this option
if it can be avoided; someone might still use it.
More information about the Gnutls-help