[gnutls-help] priority strings
Nikos Mavrogiannopoulos
nmav at gnutls.org
Mon Aug 13 08:25:37 CEST 2018
On Sat, Aug 11, 2018 at 7:01 AM, Andreas Metzler <ametzler at bebt.de> wrote:
> Jeremy Harris <jgh at wizmail.org> wrote:
>> My code is trying to do:
>
>> gnutls_priority_init(NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL)
>
>> This used to work, I think with a previous library version.
>> Under GnuTLS 3.6.3 (on f28) I'm getting:
>
>> "failed at offset 0, "NONE:+VE.." failed: No or insufficient priorities were set".
>
>
>> The manual at https://gnutls.org/manual/html_node/Priority-Strings.html still
>> says, in Table 6.3 for "NONE":
>
>> "Means nothing is enabled. This disables even protocol versions.
>> It should be followed by the algorithms to be enabled."
>
>
>> What should I now be using?
>
> Hello,
>
> playing around with
> gnutls-cli -l --priority '...'
> it looks like adding ':+GROUP-ALL' succeeds. I am not sure this makes
> sense, though, and it has the downside of not being accepted by GnuTLS
> 3.5.x.
Maybe we should document that the none + build up approach is
version-specific and cannot be guaranteed to work on protocol updates,
or across minor gnutls version updates. That was not the original
intention, but in practice over every TLS update (1.1 -> 1.2 -> 1.3)
these strings that were derived from none broke.
> How about
> NORMAL:-VERS-ALL:+VERS-TLS-ALL:-KX-ALL:+RSA:-CIPHER-ALL:+AES-128-CBC:+CAMELLIA-256-GCM:-COMP-ALL:+COMP-NULL
That is certainly much better, but from the perspective of someone who
has seen numerous of these priority strings in applications, I'd
really recommend using the defaults. Applications typically keep that
string fixed for more than a decade whereas gnutls defaults gets
updated (quite conservatively) to eliminate insecure configurations
and add new ciphers (think of SSL3.0, RC4, 3DES, DSA etc). As such,
I'd recommend gnutls_set_default_priority() or
gnutls_set_default_priority_append() -in 3.6.x-.
regards,
Nikos
More information about the Gnutls-help
mailing list