[gnutls-help] TLS downgrade at bitbucket.org

Ludovic Courtès ludo at gnu.org
Sun Jun 20 23:26:13 CEST 2021

Hi Daiki,

Daiki Ueno <ueno at gnu.org> skribis:

> Ludovic Courtès <ludo at gnu.org> writes:
>> $ gnutls-cli --priority="NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509:-VERS-SSL3.0:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+VERS-TLS1.3" -p https bitbucket.org


>> Aren’t these two priority strings supposed to be equivalent today?
> No.  If -VERS-TLS-ALL is used, the default priorities on TLS versions in
> NORMAL are ignored; the user is responsible for building the priority
> string so it reflects the actual preference, which in this case is:

Thanks for the explanations.  As you suggest, the mistake was that cURL
7.77.0 would pass the priority string in the “wrong order”, preferring
older TLS versions.  This is now fixed:



More information about the Gnutls-help mailing list