[PATCH 5/6] When selecting TLS protocol options for GnuTLS set the same defaults as in openssl.

David Woodhouse dwmw2 at infradead.org
Sat Nov 23 14:26:24 EST 2013


On Sat, 2013-11-23 at 18:58 +0100, Nikos Mavrogiannopoulos wrote:
> 
> This change removes the protocol-weakening options (e.g., the disabling of
> secure renegotiation, the removal of ECDHE ciphersuites, and the restriction
> to the known to be weak TLS 1.0).

I don't think we can do that; certainly not unconditionally. Some
servers (or their firewalls) are very picky about what they allow, and
secure renegotiation and TLS > 1.0 have definitely been known to give
immediately connection failures.

-- 
dwmw2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20131123/f3b8ab4a/attachment.bin>


More information about the openconnect-devel mailing list