On 08/13/2018 07:25 AM, Nikos Mavrogiannopoulos wrote: > Maybe we should document that the none + build up approach is > version-specific and cannot be guaranteed to work on protocol updates, > or across minor gnutls version updates. That was not the original > intention, but in practice over every TLS update (1.1 -> 1.2 -> 1.3) > these strings that were derived from none broke. > >> How about >> NORMAL:-VERS-ALL:+VERS-TLS-ALL:-KX-ALL:+RSA:-CIPHER-ALL:+AES-128-CBC:+CAMELLIA-256-GCM:-COMP-ALL:+COMP-NULL > > That is certainly much better, but from the perspective of someone who > has seen numerous of these priority strings in applications, I'd > really recommend using the defaults.
The use-case here is for testing an application. So I need to be able to set odd combinations, for example to check what happens at application level when the TL connect fails for lack of compatible key-exchange. Having to make the testsuite tls-library-version aware would be sucky. Also fails, presumably for equivalent reasons: gnutls_priority_init(NORMAL:!MAC-ALL:+MD5) failed at offset 0, "NORMAL.."): No or insufficient priorities were set. -- Cheers, Jeremy _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
