On Tue, Jul 02, 2019 at 09:36:25AM -0700, Quanah Gibson-Mount wrote:
b) That the way to do this with GnuTLS is via the TLSCipherSuite
setting. The man page directs one to look at the gnutls-cli(1) man
page, in particular, the --priority setting.
If we pull up this man page (<https://linux.die.net/man/1/gnutls-cli>
for example), there are some examples provided there. Based on those
examples, it looks like perhaps something along the lines of:
"NONE:+VERS-SSL3.0" would enable *just* SSL3.0. I'd guess you could
set it to something like "NORMAL:+VERS-SSL3.0" or perhaps
"EXPORT:+VERS-SSL3.0"
NORMAL:+VERS-SSL3.0 sounds like the right idea. I'd avoid EXPORT unless
really, absolutely necessary. Depending on the specific client software
you may also have to enable some additional cipher suite(s).
I would also add that you can use gnutls-cli(1) to verify and test your
priority strings.
e.g.: gnutls-cli -l --priority 'NORMAL:+VERS-SSL3.0' will show you the
ciphers and other features enabled by that priority string, and inform
you if the string is not valid.
