Hi Nikos, On 25/04/11 21:13, Nikos Mavrogiannopoulos wrote: > On 04/25/2011 08:57 PM, Martin Lambers wrote: >> I have some trouble with priority strings since >> gnutls_protocol_set_priority() is deprecated: >> Both msmtp and mpop can pass user-specified priority strings to GnuTLS, >> and both also provide the independent option to force SSLv3. >> Up until now, I could specifiy the priority string with >> gnutls_priority_set_direct() and subsequently use >> gnutls_protocol_set_priority() to force SSLv3, and this worked as expected. >> To avoid using a deprecated function, I now need to force SSLv3 by >> extending a given priority string. >> I tried to append ":-VERS-TLS-ALL:+VERS-SSL3.0" (e.g. >> "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0"), but this does not work: it still >> results in other TLS versions being enabled. Apparently later entries do >> not override previous entries. So how should this be done instead? > > The way you describe is the correct one. If I try this priority string > to gnutls-cli of 2.12.3 I only see SSL 3.0 being advertised. Could > it be that you overwrite the priorities by calling some other priority > function later?
Thanks for your help. The error was that I used "VERS-TLS-ALL" with GnuTLS 2.8.6, which silently ignored this. I then tried with GnuTLS 2.10.5 on a different system, and that complained about it. At that point did I realize that VERS-TLS-ALL is only available in GnuTLS 2.12.x... So now I append ":-VERS-TLS-ALL:+VERS-SSL3.0" with GnuTLS >= 2.12, and ":-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:+VERS-SSL3.0" with GnuTLS < 2.12, and this seems to work fine. Martin _______________________________________________ Help-gnutls mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-gnutls
