[gnutls-help] Priority strings, changing available ciphers

[Alexander Sosedkin]

On Mon, Jun 1, 2026 at 5:06 PM Sander Smeenk <ssmeenk at freshdot.net> wrote:
>
> Quoting Alexander Sosedkin (asosedkin at redhat.com):
>
> > > According to 'sslyze', this results in these ciphers on my MX:
> > > >From this list i want to disable these ciphers:
> > Have you checked that it actually lets you connect with these?
>
> Yes. The 'sslyze' tool tries every possible combination and reports what
> worked.

I guess that TLS1.0 in its output
is the oldest protocol version for which the cipher is defined,
and not the actually negotiated version. That'd be a problem.

> > > Am i right to note that GnuTLS does not allow for such intricate
> > > configuration of available ciphers?
> > It does not, and neither do most of the other TLS libraries.
>
> OpenSSL allows you to specify an exact list of ciphers that should be
> in- or excluded and is able to in- or exclude groups of ciphers based
> on 'RSA' or 'SHA1' too.

If only.
OpenSSL allows you to specify an exact list of ciphersuites *for TLS 1.3*.
The horrors it forces onto us with the TLS 1.2 algorithm selection
are on the opposite end of the clarity spectrum.

> > E.g., your intent looks like a `:-RSA:-SHA1` to me at a cursory glance,
> > so are you sure you need ciphersuite-grained control for your usecase?
> >
> > Email is one curious case historically utilizing opportunistic encryption,
> > has the internet finally moved past the times of unencrypted SMTP
> > and into TLS algorithm tightening? =)
>
> This is all sparked by the National Cyber Security Centre of the
> Netherlands publishing what TLS versions- and ciphers are considered
> insufficient, or should be phased out. And a tool called 'internet.nl'
> that tests compliance.
> So now i am tasked with making my servers score 100%

Nice in general.
Still looks like it's prohibiting weak crypto while allowing unencrypted SMTP.

Append `:-RSA:-SHA1` onto the priority string to make it happy?