[gnutls-help] TLS downgrade at bitbucket.org
Ludovic Courtès
ludo at gnu.org
Sun Jun 20 23:26:13 CEST 2021
Hi Daiki,
Daiki Ueno <ueno at gnu.org> skribis:
> Ludovic Courtès <ludo at gnu.org> writes:
>
>> $ gnutls-cli --priority="NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509:-VERS-SSL3.0:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+VERS-TLS1.3" -p https bitbucket.org
[...]
>> Aren’t these two priority strings supposed to be equivalent today?
>
> No. If -VERS-TLS-ALL is used, the default priorities on TLS versions in
> NORMAL are ignored; the user is responsible for building the priority
> string so it reflects the actual preference, which in this case is:
>
> -VERS-TLS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0
Thanks for the explanations. As you suggest, the mistake was that cURL
7.77.0 would pass the priority string in the “wrong order”, preferring
older TLS versions. This is now fixed:
https://github.com/curl/curl/issues/7277
Ludo’.
More information about the Gnutls-help
mailing list