[gnutls-help] priority strings

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Aug 20 14:59:16 CEST 2018


On Mon, Aug 20, 2018 at 2:33 PM, Jeremy Harris <jgh at wizmail.org> wrote:
> On 08/13/2018 07:25 AM, Nikos Mavrogiannopoulos wrote:
>> Maybe we should document that the none + build up approach is
>> version-specific and cannot be guaranteed to work on protocol updates,
>> or across minor gnutls version updates. That was not the original
>> intention, but in practice over every TLS update (1.1 -> 1.2 -> 1.3)
>> these strings that were derived from none broke.
>>
>>> How about
>>> NORMAL:-VERS-ALL:+VERS-TLS-ALL:-KX-ALL:+RSA:-CIPHER-ALL:+AES-128-CBC:+CAMELLIA-256-GCM:-COMP-ALL:+COMP-NULL
>>
>> That is certainly much better, but from the perspective of someone who
>> has seen numerous of these priority strings in applications, I'd
>> really recommend using the defaults.
>
> The use-case here is for testing an application.  So I need
> to be able to set odd combinations, for example to check
> what happens at application level when the TL connect
> fails for lack of compatible key-exchange.
>
> Having to make the testsuite tls-library-version aware
> would be sucky.
>
>
>
>
> Also fails, presumably for equivalent reasons:
>
> gnutls_priority_init(NORMAL:!MAC-ALL:+MD5) failed at offset 0,
> "NORMAL.."): No or insufficient priorities were set.

Because you are adding MD5 which is only available in combination with
RC4. RC4 is no longer included in the NORMAL set, so you'd need
something like:
'NORMAL:-MAC-ALL:+MD5:+ARCFOUR-128'

regards,
Nikos



More information about the Gnutls-help mailing list