On Sat, Aug 11, 2018 at 7:01 AM, Andreas Metzler <[email protected]> wrote: > Jeremy Harris <[email protected]> wrote: >> My code is trying to do: > >> >> gnutls_priority_init(NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL) > >> This used to work, I think with a previous library version. >> Under GnuTLS 3.6.3 (on f28) I'm getting: > >> "failed at offset 0, "NONE:+VE.." failed: No or insufficient priorities >> were set". > > >> The manual at https://gnutls.org/manual/html_node/Priority-Strings.html still >> says, in Table 6.3 for "NONE": > >> "Means nothing is enabled. This disables even protocol versions. >> It should be followed by the algorithms to be enabled." > > >> What should I now be using? > > Hello, > > playing around with > gnutls-cli -l --priority '...' > it looks like adding ':+GROUP-ALL' succeeds. I am not sure this makes > sense, though, and it has the downside of not being accepted by GnuTLS > 3.5.x.
Maybe we should document that the none + build up approach is version-specific and cannot be guaranteed to work on protocol updates, or across minor gnutls version updates. That was not the original intention, but in practice over every TLS update (1.1 -> 1.2 -> 1.3) these strings that were derived from none broke. > How about > NORMAL:-VERS-ALL:+VERS-TLS-ALL:-KX-ALL:+RSA:-CIPHER-ALL:+AES-128-CBC:+CAMELLIA-256-GCM:-COMP-ALL:+COMP-NULL That is certainly much better, but from the perspective of someone who has seen numerous of these priority strings in applications, I'd really recommend using the defaults. Applications typically keep that string fixed for more than a decade whereas gnutls defaults gets updated (quite conservatively) to eliminate insecure configurations and add new ciphers (think of SSL3.0, RC4, 3DES, DSA etc). As such, I'd recommend gnutls_set_default_priority() or gnutls_set_default_priority_append() -in 3.6.x-. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
