[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GnuTLS priority strings
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
Re: GnuTLS priority strings |
|
Date: |
Tue, 26 Apr 2011 20:31:56 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8 |
On 04/25/2011 09:34 PM, Martin Lambers wrote:
>>> I tried to append ":-VERS-TLS-ALL:+VERS-SSL3.0" (e.g.
>>> "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0"), but this does not work: it still
>>> results in other TLS versions being enabled. Apparently later entries do
>>> not override previous entries. So how should this be done instead?
>>
>> The way you describe is the correct one. If I try this priority string
>> to gnutls-cli of 2.12.3 I only see SSL 3.0 being advertised. Could
>> it be that you overwrite the priorities by calling some other priority
>> function later?
> Thanks for your help. The error was that I used "VERS-TLS-ALL" with
> GnuTLS 2.8.6, which silently ignored this. I then tried with GnuTLS
> 2.10.5 on a different system, and that complained about it. At that
> point did I realize that VERS-TLS-ALL is only available in GnuTLS 2.12.x...
> So now I append ":-VERS-TLS-ALL:+VERS-SSL3.0" with GnuTLS >= 2.12, and
> ":-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:+VERS-SSL3.0" with GnuTLS <
> 2.12, and this seems to work fine.
If you do this for compatibility you might want to try "NORMAL:%COMPAT"
instead of disabling protocol versions (if you are a server). If you
are a client you might want to disable TLS 1.1 and TLS 1.2 as a
number of servers refuse to talk if presented with version numbers
they don't understand. I'm not aware though of any server having
issues with TLS 1.0.
regards,
Nikos