[gnutls-help] Priority strings, changing available ciphers

[Sander Smeenk]

Quoting Alexander Sosedkin (asosedkin at redhat.com):
> On Mon, Jun 1, 2026 at 5:06 PM Sander Smeenk <ssmeenk at freshdot.net> wrote:
> > Yes. The 'sslyze' tool tries every possible combination and reports what
> > worked.
> I guess that TLS1.0 in its output
> is the oldest protocol version for which the cipher is defined,
> and not the actually negotiated version. That'd be a problem.

Heh. There's no TLS1.0 in sslyze output.
Well, there is, telling me no TLS1.0 is supported.

The bit that has me somewhat confused is this command:

| $ gnutls-cli --list --priority '-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:PFS' | grep TLS1.0
| TLS_ECDHE_ECDSA_AES_256_CBC_SHA1                  	0xc0, 0x0a	TLS1.0
| TLS_ECDHE_ECDSA_AES_128_CBC_SHA1                  	0xc0, 0x09	TLS1.0
| TLS_ECDHE_RSA_AES_256_CBC_SHA1                    	0xc0, 0x14	TLS1.0
| TLS_ECDHE_RSA_AES_128_CBC_SHA1                    	0xc0, 0x13	TLS1.0
| TLS_DHE_RSA_AES_256_CBC_SHA1                      	0x00, 0x39	TLS1.0
| TLS_DHE_RSA_AES_128_CBC_SHA1                      	0x00, 0x33	TLS1.0


> Append `:-RSA:-SHA1` onto the priority string to make it happy?

Probably, at least to 98% or something.
But i'd have to figure out what other ciphers get dropped that would
have been okay to still run with, and what impact that would have on
clients.

I'm currently running with this:
-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:PFS:SECURE256:-RSA:-SHA1:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1


Thanks so far, Alexander.

Rgds,
-Sndr.
-- 
| 'Squawks' said backwards still sounds the same even though it's not a palindrome.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2