On Mon, 23 Jan 2012, Nikos Mavrogiannopoulos wrote:

> It doesn't look right. I'd change "-VERS-TLS-ALL:+VERS-SSL3.0" with
> "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0".
>
> However your priority string seem quite radical. You only allow SSL 3.0.

That particular logic is only running when SSL 3.0 is explicitly asked for.

> If you care about interoperability I'd suggest a string similar to
> http://www.gnu.org/software/gnutls/manual/html_node/Interoperability.html
> but even then you have issues like being vulnerable to the "beast" attack.

I'm sorry but I'm not very familiar with SSL at a detailed protocol level. Can
you please tell me how I can ask GnuTLS to use SSL 3.0 _without_ being
vulnerable to something like the "beast" attack?

> btw. gnutls 3.0.12 added a check for gnutls_priority_set_direct() to fail if
> given a string that adds no actual priorities (like the above).

Can I just mention that even after your correction I simply don't understand
the string (and I even thought I copied the string I used from the gnutls
manual) and it makes me slightly frustrated that the API makes it *that* easy
to slip in a mistake that makes the application vulnerable to security
problems. I have read the priority string section of the manual but I must be
equipped with lesser brain cells than the humans that chapter is aimed for.

I realize creating APIs for ignorant users like me is hard and I certainly
appreciate that more recent versions will reject very obvious stupidities...

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html