[gnutls-devel] GnuTLS | Provide a configuration file (#587)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Mon Oct 8 15:04:21 CEST 2018


What is the intention, is to allow an operating system to say something like this: "by default applications should not be able to negotiate ssl3.0". The problem comes from the fact that very few applications use `gnutls_set_default_priority()` because for example they needed to add a parameter (e.g., enable PSK ciphersuites with `+PSK`, or enable compatibility mode with `%COMPAT`.

In gnutls 3.6.3 `gnutls_set_default_priority_append()` was added to address that thing, but I'm pretty sure it is going to take years for applications to switch. As such any system wide enforcement of settings will be restricted to some applications only.

The options are:
 1. Discourage applications from setting their own priority string and move them to use `gnutls_set_default_priority_append()` or `gnutls_set_default_priority()`; the question is how to do that?
 2. The "Set global TLS options which no application could override; this should include" above

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/587#note_107211054
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20181008/16eb6cde/attachment.html>


More information about the Gnutls-devel mailing list