[gnutls-devel] disabling SSL 3.0 by default in 3.4.0

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Oct 15 22:00:17 CEST 2014


On 10/15/2014 09:25 AM, Nikos Mavrogiannopoulos wrote:

>  Given the new and old attacks known for SSL 3.0, would it make sense
> to disable SSL 3.0 in the default priority strings?

Yes, i think so.  We could add SSL 3.0 into the %COMPAT%
pseudo-priority, but other than that, i don't think we should be
supporting SSLv3.0 by default any more.

	--dkg

PS i find i often need to refer to the full GnuTLS documentation when
i'm trying to cook up a new priority string.  Sometimes, i'm configuring
a machine that has a different version of GnuTLS than i have on my local
machine (where i have the full documentation installed)  Is the priority
string specification available in any of the manpages or as something
that one of the tools could emit by default?  (e.g. "gnutls-cli
--help-priority")  That would make it much easier in the future to know
how to craft a string that would interoperate with the version of gnutls
i'm testing with.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20141015/2ad01af0/attachment.sig>


More information about the Gnutls-devel mailing list