Nikos Mavrogiannopoulos <[email protected]> writes: > Martin von Gagern wrote: > >>>> It seems that _gnutls_record_set_default_version would provide a way to >>>> get the intended behaviour of an older record version but a recent >>>> client hello version. That function doesn't seem to be intended as part >>>> of the public interface of GnuTLS, though [3]. Why is that? >>> It was meant as a hack to test for buggy servers that I mentioned above. >>> I don't think it should be normally used. A better solution would be to >>> have a priority string %RFC4346 that would enforce that behavior. What >>> do you think on that? >> >> The reference to RFC 4346 in your sentence confuses me, especially as I >> see no reference to a "priority string" in that RFC. The only possible >> interpretation of your suggestion would be to use a call to >> gnutls_protocol_set_priority in order to disable TLS 1.1, thus enforcing >> a TLS 1.0 record header and client hello. > > Hello, > What I meant is to have this %RFC4346 option in the priority string in > order to specify that the way the client hello and first record version > will be according to appendix E as you quoted before (lowest supported > record version -SSL 3.0 and highest supported client hello version > -TLS1.1). The priority string is gnutls specific and means the string > you specify in the set_priority functions.
I think a priority string to configure this seems like a good idea, however, please use a more descriptive name than %RFC4346 (which has already been obsoleted by RFC 5246). How about %USE-TLS1.0-RECORD-VERSION? And %USE-SSL3-RECORD-VERSION if we need to be able to set both SSL 3.0 and TLS 1.0 record versions. /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
