[gnutls-help] Ciphersuite minimal version inconsistency?
nmav at gnutls.org
Fri Feb 28 19:43:18 CET 2014
On 02/28/2014 04:38 PM, Manuel Pégourié-Gonnard wrote:
> % gnutls-cli --version | head -n1
> gnutls-cli 3.2.11
> % gnutls-cli --list | grep DHE_PSK_ARC
> TLS_ECDHE_PSK_ARCFOUR_128_SHA1 0xc0, 0x33 SSL3.0
> TLS_DHE_PSK_ARCFOUR_128_SHA1 0x00, 0x8e TLS1.0
> I have trouble getting why the DHE_PSK suite would require TLS 1.0 while the
> ECDHE_PSK one would work with SSL 3.0. AFAICS, neither RFC 4279 nor 5489, which
> define these suites, say anything about a minimum version for them.
> Am I missing something?
The RFCs you refer to don't mention SSL 3.0 at all, so my approach was
to allow these algorithms for TLS 1.0 or later. Unfortunately openssl
was negotiating these algorithms on SSL 3.0 as well, so I allowed some
of them in SSL 3.0 as well. I asked the TLS WG at the time, and there
was no real answer. Anyway maybe it makes sense to allow all the TLS 1.0
ciphersuites in SSL 3.0 as well to prevent any incompatibilities.
More information about the Gnutls-help