[Nix-dev] GnuTLS 2.10

Michael Raskin 7c6f434c at mail.ru
Mon Jul 12 14:47:14 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/12/2010 03:55 PM, Ludovic Courtès wrote:
> OK, thanks for the explanation.
> 
> Clients or servers can restrict the set of supported protocols with
> ‘gnutls_protocol_set_priority’.  So they could give SSL 3.0 higher
> priority than other protocols, or something like that.

For some weird reasons at least lftp and libsoup go the "disable TLS" way.

> Now, it seems weird that TLS handshake is used even when SSL 3.0 is
> asked.  Did you raise the issue on bug-gnutls at gnu.org?

You have to ask for SSL 3.0 only, and that is accomplished by forbidding
all TLS versions. So you have to forbid new versions no later than they
come.

The issue was discussed on gnutls-devel. The current state of affairs
seems to seem hard to improve to the people involved...

> Agreed.
> 
> I don’t work on GnuTLS these days so I’d suggest discussing this on
> bug-gnutls at gnu.org.

I didn't hope for any specific help from you here, because it is no
simple question (and libsoup people would take the better way if there
was any). My motivation actually was to show that the real hard-to-fight
problems come from simple hard-to-notice things, not from the merits of
a way to avoid triggering too big a rebuild in corner cases...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMOw7RAAoJEE6tnN0aWvw3fyEH/2YoGuQ6zoefitXfRQ2yqS0t
8AdGC0D+HdWvIT44xbdEFHf4s6i9wAyQ6zYztIH6EEDa9JOLvM1MVktrIPU/BI+m
h4Gjalk3qWJn+4rrvgnzWqt/FBsgpyIm/OA8DAySmqQbg2IGQ7O0ihpXwh1dKXxG
S3tBKr4fu6S/ZReAlN48pMTM/G+4tsFXcQ6hM+VpTNEqp6W70y8/zZjnVWicDbzl
EFD7lvsinuU3rI3jwjEZ+IrYam0ItdFQrgvg/nS7RBXG3llNWpZWTC6u8ynYjhqt
uf5wfxKAJ3Ulxq2oqWDfZ5nGBmNirz3ohkIL3s5ksiKcyUGxAbB+v9mrooOac1I=
=rBSM
-----END PGP SIGNATURE-----



More information about the nix-dev mailing list