Justin Coffman <[email protected]> writes: > I tried my hand at generating a patch, but the patched version didn't > exhibit behavior any different than current. I guess my GnuTLS-fu is not > strong enough.
> The gotcha (I think) is in the way GnuTLS shims the SSLv23_client_method > in its OpenSSL compatibility layer. The only other available shim is > TLSv1_client_method, which seems to behave exactly the same way as it > does currently. Yeah, I took a quick look, and indeed, this is a mess. All of the ways of initializing the context in the compatibility layer enable at most TLS 1.0 and the SSL_CTX_set_cipher_list() function is stubbed out completely (since GnuTLS uses a different syntax for cipher strings). I suspect this would require fully porting tf5 to GnuTLS. :( Or fixing the compat layer to not be as stupid about ciphers. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
