Hello, lynx 2.8.9dev6 uses the following GnuTLS priority string: NONE:+VERS-SSL3.0:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+CAMELLIA-256-CBC:+CAMELLIA-128-CBC:+3DES-CBC:+COMP-NULL:+DHE-RSA:+RSA:+DHE-DSS:+SHA1:+MD5
This any signature algorithms and ertificate types: (SID)ametzler@argenau:~$ gnutls-cli --priority=NONE:+VERS-SSL3.0:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+CAMELLIA-256-CBC:+CAMELLIA-128-CBC:+3DES-CBC:+COMP-NULL:+DHE-RSA:+RSA:+DHE-DSS:+SHA1:+MD5 -l | tail -n4 Protocols: VERS-SSL3.0, VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0 Compression: COMP-NULL Elliptic curves: none PK-signatures: none Starting with GnuTLS 3.3.15 this causes connection failures, since now GnuTLS was fixed to correctly check PK-signature algoritms (GNUTLS-SA-2015-2). Connecting to e.g. www.kernel.org now fails. As a hotfix +CTYPE-X.509:+SIGN-ALL could be added, however looking the string I wonder whether it would not be better if lynx simple used GnuTLS default settings with gnutls_set_default_priority() by default. Optionally a configuration option allowing a user to specify an alternate priority-string could be used. I doubt that e.g. a deliberate choice was made to disable ECDHE and SHA256 MAC when the priority string was hardcoded. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' _______________________________________________ Lynx-dev mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/lynx-dev
