[libmicrohttpd] SSL handshake fails between libcurl and libgnutls/MHD
Daniel Stenberg
daniel at haxx.se
Mon Jan 23 23:14:44 CET 2012
On Mon, 23 Jan 2012, Nikos Mavrogiannopoulos wrote:
> It doesn't look right. I'd change "-VERS-TLS-ALL:+VERS-SSL3.0" with
> "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0".
>
> However your priority string seem quite radical. You only allow SSL 3.0.
That particular logic is only running when SSL 3.0 is explicitly asked for.
> If you care about interoperability I'd suggest a string similar to
> http://www.gnu.org/software/gnutls/manual/html_node/Interoperability.html
> but even then you have issues like being vulnerable to the "beast" attack.
I'm sorry but I'm not very familiar with SSL at a detailed protocol level. Can
you please tell me how I can ask GnuTLS to use SSL 3.0 _without_ being
vulnerable to something like the "beast" attack?
> btw. gnutls 3.0.12 added a check for gnutls_priority_set_direct() to fail if
> given a string that adds no actual priorities (like the above).
Can I just mention that even after your correction I simply don't understand
the string (and I even thought I copied the string I used from the gnutls
manual) and it makes me slightly frustrated that the API makes it *that* easy
to slip in a mistake that makes the application vulnerable to security
problems. I have read the priority string section of the manual but I must be
equipped with lesser brain cells than the humans that chapter is aimed for.
I realize creating APIs for ignorant users like me is hard and I certainly
appreciate that more recent versions will reject very obvious stupidities...
--
/ daniel.haxx.se
More information about the Gnutls-devel
mailing list