From ssmeenk at freshdot.net  Mon Jun  1 15:35:53 2026
From: ssmeenk at freshdot.net (Sander Smeenk)
Date: Mon, 1 Jun 2026 15:35:53 +0200
Subject: [gnutls-help] Priority strings, changing available ciphers
Message-ID: <ah2KufzTXF27n71Y@dot.freshdot.net>

Hi,

I'm having a hard time figuring out 'priority strings' to disable
certain cipher suites that are no longer deemed secure.

GnuTLS 3.8.3, Exim 4.98.

My current priority string is:
   '-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:PFS:SECURE256:%SERVER_PRECEDENCE'

First off, running `gnutls-cli --list --priority ...` on that string
shows eight TLS1.0 ciphers in the list. I would not expect that, given
-VERS-ALL and only 1.2 and 1.3 being enabled again.

According to 'sslyze', this results in these ciphers on my MX:
| * TLS 1.2 Cipher Suites:
|  TLS_RSA_WITH_AES_256_GCM_SHA384               256                 
|  TLS_RSA_WITH_AES_256_CCM                      256                 
|  TLS_RSA_WITH_AES_256_CBC_SHA                  256                 
|  TLS_RSA_WITH_AES_128_GCM_SHA256               128                 
|  TLS_RSA_WITH_AES_128_CCM                      128                 
|  TLS_RSA_WITH_AES_128_CBC_SHA                  128                 
|  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   256  ECDH: secp256r1 (256 bits)
|  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384         256  ECDH: secp256r1 (256 bits)
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA            256  ECDH: secp256r1 (256 bits)
|  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256         128  ECDH: secp256r1 (256 bits)
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA            128  ECDH: secp256r1 (256 bits)
|  TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256     256  DH (3072 bits) 
|  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384           256  DH (3072 bits) 
|  TLS_DHE_RSA_WITH_AES_256_CCM                  256  DH (3072 bits) 
|  TLS_DHE_RSA_WITH_AES_256_CBC_SHA              256  DH (3072 bits) 
|  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256           128  DH (3072 bits) 
|  TLS_DHE_RSA_WITH_AES_128_CCM                  128  DH (3072 bits) 
|  TLS_DHE_RSA_WITH_AES_128_CBC_SHA              128  DH (3072 bits) 
|
| * TLS 1.3 Cipher Suites:
|  TLS_CHACHA20_POLY1305_SHA256    256  ECDH: secp256r1 (256 bits)
|  TLS_AES_256_GCM_SHA384          256  ECDH: secp256r1 (256 bits)
|  TLS_AES_128_GCM_SHA256          128  ECDH: secp256r1 (256 bits)
|  TLS_AES_128_CCM_SHA256          128  ECDH: secp256r1 (256 bits)

>From this list i want to disable these ciphers:
| TLS_DHE_RSA_AES_256_CBC_SHA1       0x00, 0x39  TLS1.0
| TLS_DHE_RSA_AES_128_CBC_SHA1       0x00, 0x33  TLS1.0
| TLS_ECDHE_RSA_AES_256_CBC_SHA1     0xc0, 0x14  TLS1.0
| TLS_ECDHE_RSA_AES_128_CBC_SHA1     0xc0, 0x13  TLS1.0
| TLS_RSA_AES_256_GCM_SHA384         0x00, 0x9d  TLS1.2
| TLS_RSA_AES_256_CCM                0xc0, 0x9d  TLS1.2
| TLS_RSA_AES_256_CBC_SHA1           0x00, 0x35  TLS1.0
| TLS_RSA_AES_128_GCM_SHA256         0x00, 0x9c  TLS1.2
| TLS_RSA_AES_128_CCM                0xc0, 0x9c  TLS1.2
| TLS_RSA_AES_128_CBC_SHA1           0x00, 0x2f  TLS1.0

But i seem to only have 'coarse' controls over the available cipher suite.
For example i can only '-AES-256-GCM', which removes five ciphers from
the set. Not just the RSA_AES_256_SHA384 one.

Am i right to note that GnuTLS does not allow for such intricate
configuration of available ciphers?

Hope to hear from somone,

Kind regards,
-Sander Smeenk.
-- 
| Zebras are colored with light stripes on a dark background.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2


From asosedkin at redhat.com  Mon Jun  1 16:25:36 2026
From: asosedkin at redhat.com (Alexander Sosedkin)
Date: Mon, 1 Jun 2026 16:25:36 +0200
Subject: [gnutls-help] Priority strings, changing available ciphers
In-Reply-To: <ah2KufzTXF27n71Y@dot.freshdot.net>
References: <ah2KufzTXF27n71Y@dot.freshdot.net>
Message-ID: <CABMV8QMSm33QzebVc_J8+UkjfJedO3-D_3=HtZgNkNFD0rtYSw@mail.gmail.com>

On Mon, Jun 1, 2026 at 3:53?PM Sander Smeenk <ssmeenk at freshdot.net> wrote:
> I'm having a hard time figuring out 'priority strings' to disable
> certain cipher suites that are no longer deemed secure.
>
> GnuTLS 3.8.3, Exim 4.98.
>
> My current priority string is:
>    '-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:PFS:SECURE256:%SERVER_PRECEDENCE'
>
> First off, running `gnutls-cli --list --priority ...` on that string
> shows eight TLS1.0 ciphers in the list. I would not expect that, given
> -VERS-ALL and only 1.2 and 1.3 being enabled again.
>
> According to 'sslyze', this results in these ciphers on my MX:
> | * TLS 1.2 Cipher Suites:
> |  TLS_RSA_WITH_AES_256_GCM_SHA384               256
> |  TLS_RSA_WITH_AES_256_CCM                      256
> |  TLS_RSA_WITH_AES_256_CBC_SHA                  256
> |  TLS_RSA_WITH_AES_128_GCM_SHA256               128
> |  TLS_RSA_WITH_AES_128_CCM                      128
> |  TLS_RSA_WITH_AES_128_CBC_SHA                  128
> |  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   256  ECDH: secp256r1 (256 bits)
> |  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384         256  ECDH: secp256r1 (256 bits)
> |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA            256  ECDH: secp256r1 (256 bits)
> |  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256         128  ECDH: secp256r1 (256 bits)
> |  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA            128  ECDH: secp256r1 (256 bits)
> |  TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256     256  DH (3072 bits)
> |  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384           256  DH (3072 bits)
> |  TLS_DHE_RSA_WITH_AES_256_CCM                  256  DH (3072 bits)
> |  TLS_DHE_RSA_WITH_AES_256_CBC_SHA              256  DH (3072 bits)
> |  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256           128  DH (3072 bits)
> |  TLS_DHE_RSA_WITH_AES_128_CCM                  128  DH (3072 bits)
> |  TLS_DHE_RSA_WITH_AES_128_CBC_SHA              128  DH (3072 bits)
> |
> | * TLS 1.3 Cipher Suites:
> |  TLS_CHACHA20_POLY1305_SHA256    256  ECDH: secp256r1 (256 bits)
> |  TLS_AES_256_GCM_SHA384          256  ECDH: secp256r1 (256 bits)
> |  TLS_AES_128_GCM_SHA256          128  ECDH: secp256r1 (256 bits)
> |  TLS_AES_128_CCM_SHA256          128  ECDH: secp256r1 (256 bits)
>
> >From this list i want to disable these ciphers:
> | TLS_DHE_RSA_AES_256_CBC_SHA1       0x00, 0x39  TLS1.0
> | TLS_DHE_RSA_AES_128_CBC_SHA1       0x00, 0x33  TLS1.0
> | TLS_ECDHE_RSA_AES_256_CBC_SHA1     0xc0, 0x14  TLS1.0
> | TLS_ECDHE_RSA_AES_128_CBC_SHA1     0xc0, 0x13  TLS1.0
> | TLS_RSA_AES_256_GCM_SHA384         0x00, 0x9d  TLS1.2
> | TLS_RSA_AES_256_CCM                0xc0, 0x9d  TLS1.2
> | TLS_RSA_AES_256_CBC_SHA1           0x00, 0x35  TLS1.0
> | TLS_RSA_AES_128_GCM_SHA256         0x00, 0x9c  TLS1.2
> | TLS_RSA_AES_128_CCM                0xc0, 0x9c  TLS1.2
> | TLS_RSA_AES_128_CBC_SHA1           0x00, 0x2f  TLS1.0

Have you checked that it actually lets you connect with these?

> But i seem to only have 'coarse' controls over the available cipher suite.
> For example i can only '-AES-256-GCM', which removes five ciphers from
> the set. Not just the RSA_AES_256_SHA384 one.
>
> Am i right to note that GnuTLS does not allow for such intricate
> configuration of available ciphers?

It does not, and neither do most of the other TLS libraries.
Usually it's a specific algorithm the system operator doesn't trust in general,
not specific combinations of them.
E.g., your intent looks like a `:-RSA:-SHA1` to me at a cursory glance,
so are you sure you need ciphersuite-grained control for your usecase?

> Exim... my MX

Email is one curious case historically utilizing opportunistic encryption,
has the internet finally moved past the times of unencrypted SMTP
and into TLS algorithm tightening? =)



From ssmeenk at freshdot.net  Mon Jun  1 17:05:30 2026
From: ssmeenk at freshdot.net (Sander Smeenk)
Date: Mon, 1 Jun 2026 17:05:30 +0200
Subject: [gnutls-help] Priority strings, changing available ciphers
In-Reply-To: <CABMV8QMSm33QzebVc_J8+UkjfJedO3-D_3=HtZgNkNFD0rtYSw@mail.gmail.com>
References: <ah2KufzTXF27n71Y@dot.freshdot.net>
 <CABMV8QMSm33QzebVc_J8+UkjfJedO3-D_3=HtZgNkNFD0rtYSw@mail.gmail.com>
Message-ID: <ah2funftCB_1bb6n@dot.freshdot.net>

Quoting Alexander Sosedkin (asosedkin at redhat.com):

> > According to 'sslyze', this results in these ciphers on my MX:
> > >From this list i want to disable these ciphers:
> Have you checked that it actually lets you connect with these?

Yes. The 'sslyze' tool tries every possible combination and reports what
worked.

> > Am i right to note that GnuTLS does not allow for such intricate
> > configuration of available ciphers?
> It does not, and neither do most of the other TLS libraries.

OpenSSL allows you to specify an exact list of ciphers that should be
in- or excluded and is able to in- or exclude groups of ciphers based
on 'RSA' or 'SHA1' too.

> E.g., your intent looks like a `:-RSA:-SHA1` to me at a cursory glance,
> so are you sure you need ciphersuite-grained control for your usecase?
>
> Email is one curious case historically utilizing opportunistic encryption,
> has the internet finally moved past the times of unencrypted SMTP
> and into TLS algorithm tightening? =)

This is all sparked by the National Cyber Security Centre of the
Netherlands publishing what TLS versions- and ciphers are considered
insufficient, or should be phased out. And a tool called 'internet.nl'
that tests compliance.
So now i am tasked with making my servers score 100%

Regards,
-Sndr.
-- 
| How many SEO copywriters does it take to change a lightbulb, light bulb,
| bulb, lamp, incandascent light, light, led, bulbs, fluorescent tubes?
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2


From asosedkin at redhat.com  Mon Jun  1 17:38:14 2026
From: asosedkin at redhat.com (Alexander Sosedkin)
Date: Mon, 1 Jun 2026 17:38:14 +0200
Subject: [gnutls-help] Priority strings, changing available ciphers
In-Reply-To: <ah2funftCB_1bb6n@dot.freshdot.net>
References: <ah2KufzTXF27n71Y@dot.freshdot.net>
 <CABMV8QMSm33QzebVc_J8+UkjfJedO3-D_3=HtZgNkNFD0rtYSw@mail.gmail.com>
 <ah2funftCB_1bb6n@dot.freshdot.net>
Message-ID: <CABMV8QNwC16rK6WxN=7kLp5=4kk5vMqhafPMJdAG9OkkYZdChg@mail.gmail.com>

On Mon, Jun 1, 2026 at 5:06?PM Sander Smeenk <ssmeenk at freshdot.net> wrote:
>
> Quoting Alexander Sosedkin (asosedkin at redhat.com):
>
> > > According to 'sslyze', this results in these ciphers on my MX:
> > > >From this list i want to disable these ciphers:
> > Have you checked that it actually lets you connect with these?
>
> Yes. The 'sslyze' tool tries every possible combination and reports what
> worked.

I guess that TLS1.0 in its output
is the oldest protocol version for which the cipher is defined,
and not the actually negotiated version. That'd be a problem.

> > > Am i right to note that GnuTLS does not allow for such intricate
> > > configuration of available ciphers?
> > It does not, and neither do most of the other TLS libraries.
>
> OpenSSL allows you to specify an exact list of ciphers that should be
> in- or excluded and is able to in- or exclude groups of ciphers based
> on 'RSA' or 'SHA1' too.

If only.
OpenSSL allows you to specify an exact list of ciphersuites *for TLS 1.3*.
The horrors it forces onto us with the TLS 1.2 algorithm selection
are on the opposite end of the clarity spectrum.

> > E.g., your intent looks like a `:-RSA:-SHA1` to me at a cursory glance,
> > so are you sure you need ciphersuite-grained control for your usecase?
> >
> > Email is one curious case historically utilizing opportunistic encryption,
> > has the internet finally moved past the times of unencrypted SMTP
> > and into TLS algorithm tightening? =)
>
> This is all sparked by the National Cyber Security Centre of the
> Netherlands publishing what TLS versions- and ciphers are considered
> insufficient, or should be phased out. And a tool called 'internet.nl'
> that tests compliance.
> So now i am tasked with making my servers score 100%

Nice in general.
Still looks like it's prohibiting weak crypto while allowing unencrypted SMTP.

Append `:-RSA:-SHA1` onto the priority string to make it happy?



From ssmeenk at freshdot.net  Mon Jun  1 21:11:49 2026
From: ssmeenk at freshdot.net (Sander Smeenk)
Date: Mon, 1 Jun 2026 21:11:49 +0200
Subject: [gnutls-help] Priority strings, changing available ciphers
In-Reply-To: <CABMV8QNwC16rK6WxN=7kLp5=4kk5vMqhafPMJdAG9OkkYZdChg@mail.gmail.com>
References: <ah2KufzTXF27n71Y@dot.freshdot.net>
 <CABMV8QMSm33QzebVc_J8+UkjfJedO3-D_3=HtZgNkNFD0rtYSw@mail.gmail.com>
 <ah2funftCB_1bb6n@dot.freshdot.net>
 <CABMV8QNwC16rK6WxN=7kLp5=4kk5vMqhafPMJdAG9OkkYZdChg@mail.gmail.com>
Message-ID: <ah3ZdbR4vvR4uZ-N@dot.freshdot.net>

Quoting Alexander Sosedkin (asosedkin at redhat.com):
> On Mon, Jun 1, 2026 at 5:06?PM Sander Smeenk <ssmeenk at freshdot.net> wrote:
> > Yes. The 'sslyze' tool tries every possible combination and reports what
> > worked.
> I guess that TLS1.0 in its output
> is the oldest protocol version for which the cipher is defined,
> and not the actually negotiated version. That'd be a problem.

Heh. There's no TLS1.0 in sslyze output.
Well, there is, telling me no TLS1.0 is supported.

The bit that has me somewhat confused is this command:

| $ gnutls-cli --list --priority '-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:PFS' | grep TLS1.0
| TLS_ECDHE_ECDSA_AES_256_CBC_SHA1                  	0xc0, 0x0a	TLS1.0
| TLS_ECDHE_ECDSA_AES_128_CBC_SHA1                  	0xc0, 0x09	TLS1.0
| TLS_ECDHE_RSA_AES_256_CBC_SHA1                    	0xc0, 0x14	TLS1.0
| TLS_ECDHE_RSA_AES_128_CBC_SHA1                    	0xc0, 0x13	TLS1.0
| TLS_DHE_RSA_AES_256_CBC_SHA1                      	0x00, 0x39	TLS1.0
| TLS_DHE_RSA_AES_128_CBC_SHA1                      	0x00, 0x33	TLS1.0


> Append `:-RSA:-SHA1` onto the priority string to make it happy?

Probably, at least to 98% or something.
But i'd have to figure out what other ciphers get dropped that would
have been okay to still run with, and what impact that would have on
clients.

I'm currently running with this:
-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:PFS:SECURE256:-RSA:-SHA1:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1


Thanks so far, Alexander.

Rgds,
-Sndr.
-- 
| 'Squawks' said backwards still sounds the same even though it's not a palindrome.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2