On 26/04/11 20:31, Nikos Mavrogiannopoulos wrote: >>>> I tried to append ":-VERS-TLS-ALL:+VERS-SSL3.0" (e.g. >>>> "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0"), but this does not work: it still >>>> results in other TLS versions being enabled. Apparently later entries do >>>> not override previous entries. So how should this be done instead? >>> >>> The way you describe is the correct one. If I try this priority string >>> to gnutls-cli of 2.12.3 I only see SSL 3.0 being advertised. Could >>> it be that you overwrite the priorities by calling some other priority >>> function later? >> Thanks for your help. The error was that I used "VERS-TLS-ALL" with >> GnuTLS 2.8.6, which silently ignored this. I then tried with GnuTLS >> 2.10.5 on a different system, and that complained about it. At that >> point did I realize that VERS-TLS-ALL is only available in GnuTLS 2.12.x... >> So now I append ":-VERS-TLS-ALL:+VERS-SSL3.0" with GnuTLS >= 2.12, and >> ":-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:+VERS-SSL3.0" with GnuTLS < >> 2.12, and this seems to work fine. > > If you do this for compatibility you might want to try "NORMAL:%COMPAT" > instead of disabling protocol versions (if you are a server). If you > are a client you might want to disable TLS 1.1 and TLS 1.2 as a > number of servers refuse to talk if presented with version numbers > they don't understand. I'm not aware though of any server having > issues with TLS 1.0.
I'm a client, and I do this only if the user specified the force_sslv3 option. This option was added ca. 5 years ago to work around problems with servers that were called "ancient" already at that time. I doubt that it is still relevant today, but I don't want to remove this option if it can be avoided; someone might still use it. Martin _______________________________________________ Help-gnutls mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-gnutls
