[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_4-7-gfe8358
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_4-7-gfe8358f |
Date: |
Sun, 08 May 2011 07:52:44 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=fe8358fb8eca64a61b225416847e79af75c4e0a9
The branch, gnutls_2_12_x has been updated
via fe8358fb8eca64a61b225416847e79af75c4e0a9 (commit)
from f55dd6e87063530422c6b1792b5b46fcfe98f841 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit fe8358fb8eca64a61b225416847e79af75c4e0a9
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun May 8 09:52:39 2011 +0200
Added discussion on compatibility issues.
-----------------------------------------------------------------------
Summary of changes:
doc/cha-intro-tls.texi | 26 ++++++++++++++++++++++++++
1 files changed, 26 insertions(+), 0 deletions(-)
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index 0315ac9..31fe49a 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -377,6 +377,7 @@ that you consider weak.
All the supported ciphersuites are shown in @ref{ciphersuites}.
@subsection Priority strings
address@hidden Priority strings
In order to specify cipher suite preferences, the
previously shown priority functions accept a string
that specifies the algorithms to be enabled in a TLS handshake.
@@ -602,6 +603,31 @@ It might also be useful to be able to check for expired
sessions in
order to remove them, and save space. The function
@ref{gnutls_db_check_entry} is provided for that reason.
address@hidden Compatibility issues
+The @acronym{TLS} handshake is a complex procedure that negotiates all
+required parameters for a secure session. @acronym{GnuTLS} supports
+several @acronym{TLS} extensions, as well as the latest known published
+version being @acronym{TLS} 1.2. However few implementations are not able to
+properly interoperate once faced with extensions or version protocols
+they do not support and understand. The @acronym{TLS} protocol allows for
+graceful downgrade to the commonly supported options, but practice shows that
+it is not always implemented correctly.
+
+Because there is no way to handle maximum compatibility with such broken peers
+without sacrificing security, @acronym{GnuTLS} ignores such peers by default.
+This might not be acceptable in several cases
+thus we allow enabling maximum compatibility with such peers using
+priority strings (see @ref{Priority strings}). An example priority string that
will
+disable all supported @acronym{TLS} protocol versions except for
+the widely supported @acronym{SSL} 3.0 and @acronym{TLS} 1.0
+is shown below:
address@hidden
+NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT
address@hidden example
+This priority string provides wider compatibility to broken peers.
+We suggest however to use the normal defaults and only switch to such
compatibility
+modes only when compatibility issues occur.
+
@node TLS Extensions
@section TLS Extensions
@cindex TLS Extensions
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_4-7-gfe8358f,
Nikos Mavrogiannopoulos <=