[gnutls-help] "built-in" gnutls config, with optional-only config file on disk

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Dec 16 21:22:56 CET 2019

On Mon, Dec 16, 2019 at 4:17 AM Dimitri John Ledkov <xnox at ubuntu.com> wrote:
> In Ubuntu, gnutls default priority is set to "NORMAL", however, I kind
> of like how on Fedora it is set to "@SYSTEM" and then a system config
> file defines what that actually means. Allowing users to override that
> system-wide.
> However, there are a few issues with that. It creates a hard
> dependency between libgnutls and config file on disk, and said config
> file must always specify [priorities] SYSTEM=, as otherwise setting
> default priorities fails. (and apparmor profile must allow reading
> said config, etc.)
> Prime example, gnutls testuite fails, as it uses a custom
> tests/system.prio without SYSTEM= specified. And for example, one can
> see in Fedora spec file that 'echo SYSTEM=NORMAL >> tests/system.prio'
> is done to unbreak the testsuite.
> It also means, that if one copies all the library dependencies of an
> app, without the config file into chroot/initrd/container/etc one may
> get non-working gnutls, or the one that behaves differently.
> Is there a way to provide built-in compiled defaults that operate with
> or without a config file on disk? I.e. something like use @SYSTEM if
> exists, otherwise fallback to "NORMAL"? That way, with or without
> config, default behaviour is the same, setting default-priority always
> works and users can still override it.

I believe you can do what you describe by specifying a priority string
to applications as "@SYSTEM,NORMAL". With that, the fallback policy
will be the default NORMAL. However that has the drawback that you
cannot know which profile each application will be using. It would be
quite difficult to tell the system state and the expected outcome of a

> What about for the other overrides? I.e. can one somehow compile-in
> default [overrides] that is used, unless system config specifies one?
> I.e. built-in config specifying [overrides] disabled-versions=tls1.0,
> with users able to turn it back on by creating the config and
> specifying like empty [overrides] paragraph, or like using
> reenable-versions=tls1.0.
> Maybe I am overthinking all of this, and what I really want is simply
> support for
>     [overrides]
>     default-priority-string = NORMAL
> Whilst the library itself is compiled with something stronger, i.e.
> --with-default-priority-string='NORMAL:-VERS-TLS1.0'.

That sounds like something reasonable. There is an ongoing coversation
on how to handle national standards like GOST with a similar mechanism
Would you like to move that discussion there so that we combine the


More information about the Gnutls-help mailing list