[gnutls-devel] GnuTLS priority string bug with *-ALL
Stefan Bühler
stbuehler at lighttpd.net
Thu Jul 18 11:33:09 CEST 2013
Hi,
adding catch-alls doesn't add but replaces the list.
Examples:
* "NONE:+COMP-DEFLATE:+COMP-ALL" - no deflate, only COMP-NULL
* "NONE:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-DTLS-ALL" - only DTLS1.0 and
DTLS1.2
I think replacing _set_priority with _add_priority as bulk_fn in
gnutls_priority_init (lib/gnutls_priority.c:~900) should fix this.
Naming them "catch-alls" is misleading anyway, as not all *-ALL sets
actually represent the complete list; sadly neither this fact nor the
actual list a *-ALL represents is documented officially.
Also the manual is outdated; it misses some keywords.
The doc for gnutls_cipher_set_priority says that server order doesn't
matter, but with %SERVER_PRECEDENCE it does.
Also it would be nice if all lists would be accesible through the API
(like gnutls_priority_protocol_list; missing cipher, mac and kx lists).
See gnutls-priority.c at https://gist.github.com/stbuehler/5693466
http://blog.lighttpd.net/gnutls-priority-strings.html is an online
version of gnutls-priority.c the way I think it should work :)
regards,
stefan
More information about the Gnutls-devel
mailing list