Error when viewing HTTPS pages with a browser using GnuTLS
Nikos Mavrogiannopoulos
nmav at gnutls.org
Thu Mar 29 11:42:55 CEST 2012
On Wed, Mar 28, 2012 at 10:13 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
>> https://www.microsoft.com
>> The failure is consistent with both the vimprobable2 browser and using
>> the gnutls-cli to connect (same error message in output in both cases).
> Thanks! I see the same thing you do with gnutls-cli, so i can confirm
> this as an issue with their servers. I see those connection failures
> even with the priority string NORMAL:+%COMPAT :(
> FWIW, i can get connections to work with both of the above using the
> following priority string:
> NORMAL:-VERS-TLS1.1:-VERS-TLS1.2
Microsoft servers used to drop connections from TLS protocol versions
they didn't understand instead of doing a negotiation to the highest
common.
A solution is, a client, to have a fallback strategy with the priority
strings at:
http://www.gnu.org/software/gnutls/manual/html_node/Interoperability.html
> I'm not sure the right way to deal with this from GnuTLS is. Should we
> be doing anything differently to accommodate these non-compliant servers?
This is an old problem and there is not much we can do, except
pointing people to compatibility priority strings. Keeping support for
TLS 1.2 and 1.1 is important as there are issues in all the previous
protocols.
regards,
Nikos
More information about the Gnutls-devel
mailing list