gnutls-cli fails to handshake with Exchange server that uses DES-CBC3-SHA cipher

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Mar 31 19:32:16 CEST 2012


On 03/30/2012 02:02 PM, Ted Zlatanov wrote:

> On Thu, 29 Mar 2012 20:22:31 -0400 Thomas Fitzsimmons <fitzsim at fitzsim.org> wrote: 
> 
> TF> Emacs allows overriding the default GnuTLS priority string using a
> TF> variable (gnutls-algorithm-priority) so I set it to "performance" to
> TF> work around this server-side issue.  In cases where Emacs would
> TF> otherwise fail to connect to a server because of a weak ciphersuite
> TF> maybe the UI should warn the user and ask them whether or not to
> TF> proceed.  Anyway, thanks for analyzing the logs.
> I don't think currently Emacs can distinguish this case from a normal
> negotiation failure.  The best we can do is to generally suggest a
> weaker priority string, which seems to be a bad idea.  Is there a way to
> determine that this case has occurred?


You cannot in general distinguish a negotiation with a broken server and
negotiation failure. What (I think) browsers do is if negotiation fails
they fallback to the most compatible mode (SSL 3.0 or so).

regards,
Nikos




More information about the Gnutls-devel mailing list