gnutls-cli fails to handshake with Exchange server that uses DES-CBC3-SHA cipher
Nikos Mavrogiannopoulos
nmav at gnutls.org
Mon Apr 2 17:46:30 CEST 2012
2012/4/2 Ted Zlatanov <tzz at lifelogs.com>:
> NM> You cannot in general distinguish a negotiation with a broken server and
> NM> negotiation failure. What (I think) browsers do is if negotiation fails
> NM> they fallback to the most compatible mode (SSL 3.0 or so).
> So you're suggesting to try a weaker (more compatible) priority string,
> right? We could do that per server name. Considering we have just one
> bug report on this and from a broken server, I'm not sure it's worth the
> effort to automate the fallback. In your experience, is this a
> widespread problem worth addressing through code, or is it better as a
> FAQ?
Experience has shown that there are quite many broken servers [0]
out there, so we'd encourage applications to have a fallback strategy.
Whether that would include manual intervention of the user or not is not
as important.
regards,
Nikos
[0]. http://tools.ietf.org/id/draft-pettersen-tls-interop-experience-00.txt
More information about the Gnutls-devel
mailing list