[libmicrohttpd] SSL handshake fails between libcurl and libgnutls/MHD

Daniel Stenberg daniel at haxx.se
Tue Jan 24 00:03:57 CET 2012

On Mon, 23 Jan 2012, Nikos Mavrogiannopoulos wrote:

>> please tell me how I can ask GnuTLS to use SSL 3.0 _without_ being 
>> vulnerable to something like the "beast" attack?
> You cannot. SSL 3.0 and TLS 1.0 are vulnerable to this attack. TLS 1.1 and 
> later versions aren't. There are hacks to mitigate the impact (only on the 
> outgoing packets), but were removed from gnutls once TLS 1.1 was introduced 
> (because they were causing issues with old servers).

Ah, ok then I understand it better. I thought you still had that ability for 
those who'd still use one of the older SSL versions.

I've corrected the used string now in libcurl and it will be included in the 
upcoming release that is due to ship within 24 hours.

>> I have read the priority string section of the manual but I must be 
>> equipped with lesser brain cells than the humans that chapter is aimed for.
> Could you point me what was not clear to you? That way it would be easier 
> for me to elaborate or rewrite parts.

It's not easy to tell what makes documentation hard to read or to understand. 
That syntax format is very large and probably very competent, but all I wanted 
was to find a string that would tell gnutls to use (or prefer) SSL3 and I 
thought I did. Sorry for not being able to describe it better.


  / daniel.haxx.se

More information about the Gnutls-devel mailing list