On Thu, Sep 11, 2014 at 3:02 AM, Nikos Mavrogiannopoulos <[email protected]> wrote: > On Wed, Sep 10, 2014 at 8:43 PM, Mark Doliner <[email protected]> wrote: >> Hi! I work on the instant messaging program Pidgin. I'm fiddling with >> the priority string that we pass to gnutls_priority_init(), trying to >> find a value that disables weaker ciphers while remaining compatible >> with the majority of servers. > > Well, I'd suggest in using each versions NORMAL:%COMPAT option in that > case (or gnutls_priority_set_default()). The ciphers are prioritized > by security margin and remain compatible with the majority if not all > of the servers (I think your use case is the exact reason for the > default settings).
Hmm, yeah, using NORMAL is very reasonable. I would certainly prefer if we could use the default, but it does seem like we can improve things slightly by using a custom string. I checked in a change to our development branch for now to use a custom string. Assuming no one has problems with it I think it's likely we'll release it at some point. But I don't have strong feelings either way and I could be persuaded to switch back to NORMAL. The string I used is: SECURE192:+SECURE128:-RSA:+RSA:+SIGN-RSA-SHA1:-DHE-DSS:-VERS-SSL3.0 I wrote a really long comment explaining my reasoning, if you're curious: https://hg.pidgin.im/pidgin/main/rev/76a2a6d75768 >> Related question: >> RFC5246 section 7.4.1.4.1. Signature Algorithms says "this extension >> is not meaningful for TLS versions prior to 1.2. Clients MUST NOT >> offer it if they are offering prior versions." However it looks like >> GnuTLS sends the signature algorithms extension even when it sends a >> version of SSL 3.0. Seems like it should only send the extension when >> version is TLS 1.2 or higher. Is that a bug? Am I misinterpreting the >> spec? > > Does this happen with the gnutls 3.x versions or is it only in 2.12.x? If I'm interpreting Wireshark correctly, yes. I see it happen with GnuTLS 2.12.23, 3.2.11, 3.2.17, and 3.3.7. _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
