[bug #67966] certain options override gnutls system configuration

Tue, 27 Jan 2026 01:35:46 -0800 

URL:
  <https://savannah.gnu.org/bugs/?67966>

                 Summary: certain options override gnutls system configuration
                   Group: GNU Wget
               Submitter: None
               Submitted: Tue 27 Jan 2026 09:35:12 AM UTC
                Category: Program Logic
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: Alexander Sosedkin
        Originator Email: [email protected]
             Open/Closed: Open
         Discussion Lock: Unlocked
                 Release: trunk
        Operating System: GNU/Linux
         Reproducibility: Every Time
           Fixed Release: None
         Planned Release: None
              Regression: No
           Work Required: None
          Patch Included: No


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Tue 27 Jan 2026 09:35:12 AM UTC By: Anonymous
As of the current git commit 3388a22b10dbda015005ddfb8fe7fc1c04f6e069
src/gnutls.c's set_prio_default does not modify gnutls priority strings
correctly.
wget should not override the system-wide gnutls policy entirely,
but rather tweak just the aspects it needs tweaked.

Example:

    case secure_protocol_tlsv1_3:
#if GNUTLS_VERSION_NUMBER >= 0x030603
      err = gnutls_priority_set_direct (session,
"NORMAL:-VERS-SSL3.0:+VERS-TLS1.3:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2",
NULL);
      break;

NORMAL is gnutls' compiled-in default which hasn't been updated in a while.
On systems defaulting to a tighter priority string, such as Fedora or RHEL,
this relaxes it back to gnutls defaults.

An establised, recommended way to alter cryptographic defaults
that works with every configuration format of gnutls is
`gnutls_set_default_priority_append()`.
Say, forcing TLS 1.3 specifically could be done with a
`-VERS-TLS-ALL:+VERS-TLS-1.2`,
while forcing TLS 1.3 or newer could indeed be done
with a `-VERS-SSL3.0:+VERS-TLS1.3:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2`.

Additionally, gnutls_session_enable_compatibility_mode(session) should not
really be used.







    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?67966>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

Attachment: signature.asc
Description: PGP signature

Reply via email to