[gnutls-help] priority strings

Jeremy Harris jgh at wizmail.org
Mon Aug 20 14:33:40 CEST 2018


On 08/13/2018 07:25 AM, Nikos Mavrogiannopoulos wrote:
> Maybe we should document that the none + build up approach is
> version-specific and cannot be guaranteed to work on protocol updates,
> or across minor gnutls version updates. That was not the original
> intention, but in practice over every TLS update (1.1 -> 1.2 -> 1.3)
> these strings that were derived from none broke.
> 
>> How about
>> NORMAL:-VERS-ALL:+VERS-TLS-ALL:-KX-ALL:+RSA:-CIPHER-ALL:+AES-128-CBC:+CAMELLIA-256-GCM:-COMP-ALL:+COMP-NULL
> 
> That is certainly much better, but from the perspective of someone who
> has seen numerous of these priority strings in applications, I'd
> really recommend using the defaults.

The use-case here is for testing an application.  So I need
to be able to set odd combinations, for example to check
what happens at application level when the TL connect
fails for lack of compatible key-exchange.

Having to make the testsuite tls-library-version aware
would be sucky.




Also fails, presumably for equivalent reasons:

gnutls_priority_init(NORMAL:!MAC-ALL:+MD5) failed at offset 0,
"NORMAL.."): No or insufficient priorities were set.

-- 
Cheers,
  Jeremy



More information about the Gnutls-help mailing list