|
| From: | Daniel Stenberg |
| Subject: | Re: [libmicrohttpd] SSL handshake fails between libcurl and libgnutls/MHD |
| Date: | Mon, 23 Jan 2012 23:14:44 +0100 (CET) |
| User-agent: | Alpine 2.00 (DEB 1167 2008-08-23) |
On Mon, 23 Jan 2012, Nikos Mavrogiannopoulos wrote:
It doesn't look right. I'd change "-VERS-TLS-ALL:+VERS-SSL3.0" with "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0".However your priority string seem quite radical. You only allow SSL 3.0.
That particular logic is only running when SSL 3.0 is explicitly asked for.
If you care about interoperability I'd suggest a string similar to http://www.gnu.org/software/gnutls/manual/html_node/Interoperability.html but even then you have issues like being vulnerable to the "beast" attack.
I'm sorry but I'm not very familiar with SSL at a detailed protocol level. Can you please tell me how I can ask GnuTLS to use SSL 3.0 _without_ being vulnerable to something like the "beast" attack?
btw. gnutls 3.0.12 added a check for gnutls_priority_set_direct() to fail if given a string that adds no actual priorities (like the above).
Can I just mention that even after your correction I simply don't understand the string (and I even thought I copied the string I used from the gnutls manual) and it makes me slightly frustrated that the API makes it *that* easy to slip in a mistake that makes the application vulnerable to security problems. I have read the priority string section of the manual but I must be equipped with lesser brain cells than the humans that chapter is aimed for.
I realize creating APIs for ignorant users like me is hard and I certainly appreciate that more recent versions will reject very obvious stupidities...
-- / daniel.haxx.se
| [Prev in Thread] | Current Thread | [Next in Thread] |