gnutls-cli fails to handshake with Exchange server that uses DES-CBC3-SHA cipher

Nikos Mavrogiannopoulos nmav at
Mon Apr 2 17:46:30 CEST 2012

2012/4/2 Ted Zlatanov <tzz at>:

> NM> You cannot in general distinguish a negotiation with a broken server and
> NM> negotiation failure. What (I think) browsers do is if negotiation fails
> NM> they fallback to the most compatible mode (SSL 3.0 or so).
> So you're suggesting to try a weaker (more compatible) priority string,
> right?  We could do that per server name.  Considering we have just one
> bug report on this and from a broken server, I'm not sure it's worth the
> effort to automate the fallback.  In your experience, is this a
> widespread problem worth addressing through code, or is it better as a
> FAQ?

Experience has shown that there are quite many broken servers [0]
out there, so we'd encourage applications to have a fallback strategy.
Whether that would include manual intervention of the user or not is not
as important.



More information about the Gnutls-devel mailing list