Hi! I could use a bit of adivce regarding an issue in pidgin talking to MSN servers, see http://developer.pidgin.im/ticket/3456 for the full report.
One of the MSN servers, 65.54.170.19, immediately terminates a connection started by GnuTLS using TLS 1.1. When restricting the protocol to TLS 1.0, the connection works all right. This behaviour can be reproduced using gnutls-cli, and also shows up as a failed fallback from TLS 1.1 in gnutls-cli-debug [1]. darkrain42 noticed that according to RFC4346 (TLS 1.1) Appendix E [2], a TLS client should use an older record version for the sake of backwards compatibility. And indeed, when using an older record version (SSL 3.0 or TLS 1.0) but indicating TLS 1.1 in the client hello, the connection with the server in question can be established successfully. My first question is this: is there a good reason that GnuTLS doesn't indicate an older record version in accordance with appendix E by default? It seems that _gnutls_record_set_default_version would provide a way to get the intended behaviour of an older record version but a recent client hello version. That function doesn't seem to be intended as part of the public interface of GnuTLS, though [3]. Why is that? Do you have any other suggestions as to how to achive backwards compatibility with such servers without too much programming overhead, and without denying more recent TLS versions in cases where both sides can use them? I'd appriciate your opinion on this. Greetings, Martin von Gagern [1] http://developer.pidgin.im/ticket/3456#comment:10 [2] http://tools.ietf.org/html/rfc4346#appendix-E [3] http://developer.pidgin.im/ticket/3456#comment:22
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
