On 2007-05-03 Jan Christoph Nordholz <[EMAIL PROTECTED]> wrote:
> Package: libgnutls13
> Version: 1.7.7-1
> Tags: experimental
> Hi,
> code and documentation seem to have diverged when TLS1.2 was introduced:
> -> lib/gnutls_priority.c, lines 252 ff., gnutls_set_default_priority()
> ] [...]
> ] * The order is TLS 1.2, TLS 1.1, TLS 1.0, SSL3 for protocols.
> ] * RSA, DHE_DSS, DHE_RSA for key exchange
> ] * algorithms. SHA, MD5 and RIPEMD160 for MAC algorithms.
> ] * AES_128_CBC, 3DES_CBC,
> ] * and ARCFOUR_128 for ciphers.
> ] [...]
> ] static const int protocol_priority[] = { GNUTLS_TLS1_2, GNUTLS_TLS1_1,
> GNUTLS_SSL3, 0 };
> ] static const int kx_priority[] =
> ] { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, 0 };
> ] static const int cipher_priority[] = {
> ] GNUTLS_CIPHER_AES_128_CBC,
> ] GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, 0
> ] };
> ] static const int comp_priority[] = { GNUTLS_COMP_NULL, 0 };
> ] static const int mac_priority[] =
> ] { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, 0 };
> ] [...]
> TLS1.0 and MAC_RIPEMD are gone... I guess this is intentional, but it
> should be documented accordingly, because I've just crept for hours through
> an application's source code searching for the magic call that disables
> TLS1.0... ;-)
This has been fixed upstream in
<http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/gnutls/lib/gnutls_priority.c?root=GNU+TLS+Library&r1=2.55&r2=2.56>
The respective code in the docs is generated automatically from the
comments in lib/gnutls_priority.c.
> PS: This (upstream) change makes the package description look a bit absurd,
> advertising TLS1.0 support when it's deactivated by default...
The change noted above also re-enable TLS1.0 by default, so this part
of your bug-report is going to fix itself too.
Thanks for taking the time to test the packages uploaded to
experimental.
cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
