On 02/28/2014 04:38 PM, Manuel Pégourié-Gonnard wrote: > Hi, > > % gnutls-cli --version | head -n1 > gnutls-cli 3.2.11 > % gnutls-cli --list | grep DHE_PSK_ARC > TLS_ECDHE_PSK_ARCFOUR_128_SHA1 0xc0, 0x33 SSL3.0 > TLS_DHE_PSK_ARCFOUR_128_SHA1 0x00, 0x8e TLS1.0 > > I have trouble getting why the DHE_PSK suite would require TLS 1.0 while the > ECDHE_PSK one would work with SSL 3.0. AFAICS, neither RFC 4279 nor 5489, > which > define these suites, say anything about a minimum version for them. > Am I missing something?
Hello Manuel, The RFCs you refer to don't mention SSL 3.0 at all, so my approach was to allow these algorithms for TLS 1.0 or later. Unfortunately openssl was negotiating these algorithms on SSL 3.0 as well, so I allowed some of them in SSL 3.0 as well. I asked the TLS WG at the time, and there was no real answer. Anyway maybe it makes sense to allow all the TLS 1.0 ciphersuites in SSL 3.0 as well to prevent any incompatibilities. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
