[gnutls-devel] RSA vs. DHE-RSA with default priority string

Armin Burgmeier armin at arbur.net
Sun May 24 18:12:24 CEST 2015


I have a server [0] which allows use of DHE-RSA but does not enforce it.
It does not support any ECC, though.

When connecting with gnutls-cli from master (and 3.3), it chooses RSA
key exchange instead of DHE-RSA. I only get DHE-RSA when I specify

I compared this to gnutls-cli from gnutls 2.12.23: with the default
priority string, I get DHE-RSA. I could switch to RSA with

The behaviour of gnutls 2.12 seems more reasonable to me. How would I
make the current version of gnutls prefer DHE-RSA but still allow RSA if
the server does not support DH? I understand --priority=PFS completely
disables any non-PFS kx algorithms. I'd prefer not to hand-craft a
priority string that explicitly contains algorithm names, so that I stay


 [0] https://server01.komline.de

More information about the Gnutls-devel mailing list