[gnutls-help] Priority strings, changing available ciphers

Alexander Sosedkin asosedkin at redhat.com
Mon Jun 1 16:25:36 CEST 2026 

On Mon, Jun 1, 2026 at 3:53 PM Sander Smeenk <ssmeenk at freshdot.net> wrote:
> I'm having a hard time figuring out 'priority strings' to disable
> certain cipher suites that are no longer deemed secure.
>
> GnuTLS 3.8.3, Exim 4.98.
>
> My current priority string is:
>    '-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:PFS:SECURE256:%SERVER_PRECEDENCE'
>
> First off, running `gnutls-cli --list --priority ...` on that string
> shows eight TLS1.0 ciphers in the list. I would not expect that, given
> -VERS-ALL and only 1.2 and 1.3 being enabled again.
>
> According to 'sslyze', this results in these ciphers on my MX:
> | * TLS 1.2 Cipher Suites:
> |  TLS_RSA_WITH_AES_256_GCM_SHA384               256
> |  TLS_RSA_WITH_AES_256_CCM                      256
> |  TLS_RSA_WITH_AES_256_CBC_SHA                  256
> |  TLS_RSA_WITH_AES_128_GCM_SHA256               128
> |  TLS_RSA_WITH_AES_128_CCM                      128
> |  TLS_RSA_WITH_AES_128_CBC_SHA                  128
> |  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   256  ECDH: secp256r1 (256 bits)
> |  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384         256  ECDH: secp256r1 (256 bits)
> |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA            256  ECDH: secp256r1 (256 bits)
> |  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256         128  ECDH: secp256r1 (256 bits)
> |  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA            128  ECDH: secp256r1 (256 bits)
> |  TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256     256  DH (3072 bits)
> |  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384           256  DH (3072 bits)
> |  TLS_DHE_RSA_WITH_AES_256_CCM                  256  DH (3072 bits)
> |  TLS_DHE_RSA_WITH_AES_256_CBC_SHA              256  DH (3072 bits)
> |  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256           128  DH (3072 bits)
> |  TLS_DHE_RSA_WITH_AES_128_CCM                  128  DH (3072 bits)
> |  TLS_DHE_RSA_WITH_AES_128_CBC_SHA              128  DH (3072 bits)
> |
> | * TLS 1.3 Cipher Suites:
> |  TLS_CHACHA20_POLY1305_SHA256    256  ECDH: secp256r1 (256 bits)
> |  TLS_AES_256_GCM_SHA384          256  ECDH: secp256r1 (256 bits)
> |  TLS_AES_128_GCM_SHA256          128  ECDH: secp256r1 (256 bits)
> |  TLS_AES_128_CCM_SHA256          128  ECDH: secp256r1 (256 bits)
>
> >From this list i want to disable these ciphers:
> | TLS_DHE_RSA_AES_256_CBC_SHA1       0x00, 0x39  TLS1.0
> | TLS_DHE_RSA_AES_128_CBC_SHA1       0x00, 0x33  TLS1.0
> | TLS_ECDHE_RSA_AES_256_CBC_SHA1     0xc0, 0x14  TLS1.0
> | TLS_ECDHE_RSA_AES_128_CBC_SHA1     0xc0, 0x13  TLS1.0
> | TLS_RSA_AES_256_GCM_SHA384         0x00, 0x9d  TLS1.2
> | TLS_RSA_AES_256_CCM                0xc0, 0x9d  TLS1.2
> | TLS_RSA_AES_256_CBC_SHA1           0x00, 0x35  TLS1.0
> | TLS_RSA_AES_128_GCM_SHA256         0x00, 0x9c  TLS1.2
> | TLS_RSA_AES_128_CCM                0xc0, 0x9c  TLS1.2
> | TLS_RSA_AES_128_CBC_SHA1           0x00, 0x2f  TLS1.0

Have you checked that it actually lets you connect with these?

> But i seem to only have 'coarse' controls over the available cipher suite.
> For example i can only '-AES-256-GCM', which removes five ciphers from
> the set. Not just the RSA_AES_256_SHA384 one.
>
> Am i right to note that GnuTLS does not allow for such intricate
> configuration of available ciphers?

It does not, and neither do most of the other TLS libraries.
Usually it's a specific algorithm the system operator doesn't trust in general,
not specific combinations of them.
E.g., your intent looks like a `:-RSA:-SHA1` to me at a cursory glance,
so are you sure you need ciphersuite-grained control for your usecase?

> Exim... my MX

Email is one curious case historically utilizing opportunistic encryption,
has the internet finally moved past the times of unencrypted SMTP
and into TLS algorithm tightening? =)

More information about the Gnutls-help mailing list