[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#49035: [gnutls-help] TLS downgrade at bitbucket.org
|
From: |
Ludovic Courtès |
|
Subject: |
bug#49035: [gnutls-help] TLS downgrade at bitbucket.org |
|
Date: |
Sun, 20 Jun 2021 23:26:13 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi Daiki,
Daiki Ueno <ueno@gnu.org> skribis:
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> $ gnutls-cli
>> --priority="NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509:-VERS-SSL3.0:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+VERS-TLS1.3"
>> -p https bitbucket.org
[...]
>> Aren’t these two priority strings supposed to be equivalent today?
>
> No. If -VERS-TLS-ALL is used, the default priorities on TLS versions in
> NORMAL are ignored; the user is responsible for building the priority
> string so it reflects the actual preference, which in this case is:
>
> -VERS-TLS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0
Thanks for the explanations. As you suggest, the mistake was that cURL
7.77.0 would pass the priority string in the “wrong order”, preferring
older TLS versions. This is now fixed:
https://github.com/curl/curl/issues/7277
Ludo’.