[gnutls-help] Priority strings, changing available ciphers
Sander Smeenk
ssmeenk at freshdot.net
Mon Jun 1 17:05:30 CEST 2026
Quoting Alexander Sosedkin (asosedkin at redhat.com):
> > According to 'sslyze', this results in these ciphers on my MX:
> > >From this list i want to disable these ciphers:
> Have you checked that it actually lets you connect with these?
Yes. The 'sslyze' tool tries every possible combination and reports what
worked.
> > Am i right to note that GnuTLS does not allow for such intricate
> > configuration of available ciphers?
> It does not, and neither do most of the other TLS libraries.
OpenSSL allows you to specify an exact list of ciphers that should be
in- or excluded and is able to in- or exclude groups of ciphers based
on 'RSA' or 'SHA1' too.
> E.g., your intent looks like a `:-RSA:-SHA1` to me at a cursory glance,
> so are you sure you need ciphersuite-grained control for your usecase?
>
> Email is one curious case historically utilizing opportunistic encryption,
> has the internet finally moved past the times of unencrypted SMTP
> and into TLS algorithm tightening? =)
This is all sparked by the National Cyber Security Centre of the
Netherlands publishing what TLS versions- and ciphers are considered
insufficient, or should be phased out. And a tool called 'internet.nl'
that tests compliance.
So now i am tasked with making my servers score 100%
Regards,
-Sndr.
--
| How many SEO copywriters does it take to change a lightbulb, light bulb,
| bulb, lamp, incandascent light, light, led, bulbs, fluorescent tubes?
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2
More information about the Gnutls-help
mailing list