On 04/25/2011 09:34 PM, Martin Lambers wrote: >>> I tried to append ":-VERS-TLS-ALL:+VERS-SSL3.0" (e.g. >>> "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0"), but this does not work: it still >>> results in other TLS versions being enabled. Apparently later entries do >>> not override previous entries. So how should this be done instead? >> >> The way you describe is the correct one. If I try this priority string >> to gnutls-cli of 2.12.3 I only see SSL 3.0 being advertised. Could >> it be that you overwrite the priorities by calling some other priority >> function later? > Thanks for your help. The error was that I used "VERS-TLS-ALL" with > GnuTLS 2.8.6, which silently ignored this. I then tried with GnuTLS > 2.10.5 on a different system, and that complained about it. At that > point did I realize that VERS-TLS-ALL is only available in GnuTLS 2.12.x... > So now I append ":-VERS-TLS-ALL:+VERS-SSL3.0" with GnuTLS >= 2.12, and > ":-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:+VERS-SSL3.0" with GnuTLS < > 2.12, and this seems to work fine.
If you do this for compatibility you might want to try "NORMAL:%COMPAT" instead of disabling protocol versions (if you are a server). If you are a client you might want to disable TLS 1.1 and TLS 1.2 as a number of servers refuse to talk if presented with version numbers they don't understand. I'm not aware though of any server having issues with TLS 1.0. regards, Nikos _______________________________________________ Help-gnutls mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-gnutls
