Disable TLS 1.1 with gnutls by default as it is causing problems

Troels Liebe Bentsen troels at it-kartellet.dk
Thu May 13 18:44:37 EDT 2010


By default gnutls tries with TLS 1.1, but most servers only support
TLS 1.0, most will handle fall-back to this version gracefully, but a
lot won't.

Also TLS 1.0 is still the default for almost all browsers even if TLS
1.1 and 1.2 is supported. Fx. in IE on vista and Windows 7 both are
disabled unless you edit the registry, Firefox and Chrome also only
tries TLS 1.0.

GnuTLS bug with more details:
https://savannah.gnu.org/support/?107372

Patch to disable TLS 1.1 by default:

diff --git a/src/ne_socket.c b/src/ne_socket.c
index 31e96f1..efa1086 100644
--- a/src/ne_socket.c
+++ b/src/ne_socket.c
@@ -1646,7 +1646,7 @@ int ne_sock_accept_ssl(ne_socket *sock,
ne_ssl_context *ctx)
 #elif defined(HAVE_GNUTLS)
     gnutls_init(&ssl, GNUTLS_SERVER);
     gnutls_credentials_set(ssl, GNUTLS_CRD_CERTIFICATE, ctx->cred);
- gnutls_set_default_priority(ssl);
+ gnutls_priority_set_direct (ssl, "NORMAL:-VERS-TLS1.1", NULL);

     /* Set up dummy session cache. */
     gnutls_db_set_store_function(ssl, store_sess);
@@ -1726,7 +1726,7 @@ int ne_sock_connect_ssl(ne_socket *sock,
ne_ssl_context *ctx, void *userdata)
 #elif defined(HAVE_GNUTLS)
     /* DH and RSA params are set in ne_ssl_context_create */
     gnutls_init(&sock->ssl, GNUTLS_CLIENT);
- gnutls_set_default_priority(sock->ssl);
+ gnutls_priority_set_direct (sock->ssl, "NORMAL:-VERS-TLS1.1", NULL);
     gnutls_session_set_ptr(sock->ssl, userdata);
     gnutls_credentials_set(sock->ssl, GNUTLS_CRD_CERTIFICATE, ctx->cred);

Regards Troels



More information about the neon mailing list