[gnutls-help] priority strings
Jeremy Harris
jgh at wizmail.org
Mon Aug 20 14:33:40 CEST 2018
On 08/13/2018 07:25 AM, Nikos Mavrogiannopoulos wrote:
> Maybe we should document that the none + build up approach is
> version-specific and cannot be guaranteed to work on protocol updates,
> or across minor gnutls version updates. That was not the original
> intention, but in practice over every TLS update (1.1 -> 1.2 -> 1.3)
> these strings that were derived from none broke.
>
>> How about
>> NORMAL:-VERS-ALL:+VERS-TLS-ALL:-KX-ALL:+RSA:-CIPHER-ALL:+AES-128-CBC:+CAMELLIA-256-GCM:-COMP-ALL:+COMP-NULL
>
> That is certainly much better, but from the perspective of someone who
> has seen numerous of these priority strings in applications, I'd
> really recommend using the defaults.
The use-case here is for testing an application. So I need
to be able to set odd combinations, for example to check
what happens at application level when the TL connect
fails for lack of compatible key-exchange.
Having to make the testsuite tls-library-version aware
would be sucky.
Also fails, presumably for equivalent reasons:
gnutls_priority_init(NORMAL:!MAC-ALL:+MD5) failed at offset 0,
"NORMAL.."): No or insufficient priorities were set.
--
Cheers,
Jeremy
More information about the Gnutls-help
mailing list