[gnutls-devel] gnutls 3.2.3 segfault in _gnutls_epoch_set_keys

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Aug 3 19:52:58 CEST 2013

On 08/02/2013 04:20 PM, Stefan Bühler wrote:
> Hi,
> I think I found the problem:
> _gnutls_epoch_set_cipher_suite fails, because my normal priority string
> has RC4 disabled; the hello_cb is supposed to enable RC4 for TLS1.0
> Although the callback gets called (and sees the correct version and
> sets the RC4 priority), _gnutls_epoch_set_cipher_suite still doesn't
> accept the RC4 cipher from the ticket state.
> The return value of _gnutls_epoch_set_cipher_suite isn't checked by any
> of the calling functions... this should probably be fixed (same for
> _gnutls_epoch_set_compression and so on).
> Also it'd be nice if the hello callback could change the priority :)

Ah, ok I understand what you're trying to do. I don't think it's worth
the effort though. Both RC4 and AES-CBC are severely broken in so many
ways it doesn't make sense to try to mitigate the issues (a more
advanced ciphersuite selection process would have been nicer though).

Using the "normal" priority string and adding the server precedence
option would help as the best possible option will be used depending on
the client.


More information about the Gnutls-devel mailing list