[gnutls-devel] GnuTLS | Prevent applications from combining legacy versions of TLS with TLS1.3 (!815)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue Nov 27 10:34:52 CET 2018


> I couldn't find issues in the code. But I don't know if I agree that this behaviour is the best. I mean, if you are trying to add TLS1.3, probably you want to use it. But with this fix, when someone tries to "upgrade" the configuration by adding TLS1.3, he/she can end up with only pre-TLS1.2 protocols enabled.

Indeed, this code is about applications which use something like "NORMAL:-VERS-TLS1.2" and expect to have TLS1.0 and TLS1.1 enabled. After the upgrade to a TLS1.3 supporting version this code will enable TLS1.3 in addition to TLS1.1 and TLS1.0 (that's what this wine app was doing).

> Wouldn't be better to drop TLS1.1/1.0 and keep TLS1.3 instead of the other way around? Or maybe automatically add TLS1.2 when it is missing?

In that particular case the application was specifically requesting for TLS1.1 and TLS1.0 thus disabling them and only allowing TLS1.3 would have been the wrong thing to do, in terms of what the application intended, and in practice as its server did not support TLS1.3.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/815#note_120328623
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20181127/1dda2f3c/attachment.html>


More information about the Gnutls-devel mailing list