Steve Langasek wrote:
Well, I can reproduce the problem when using this value for TLSCipherSuite. But why would you set this value, rather than leaving TLSCipherSuite blank to use the default? I don't see the point of listing *all* the cipher types if you don't intend to exclude some of them.
If I leave it blank, it still doesn't work. The behaviour is then exactly equal to the current situation.
Anyway, the documented syntax for TLSCipherSuite is "$cipher1:$cipher2", not "$cipher1 $cipher2"; but setting such values gives me a hang on startup (which should be investigated).
I can confirm that, the reason why I left out the ":" is this hang. I thought that maybe gnutls parses the string differently and needs spaces in between, that's why I replaced those characters with spaces. Anyway, do you file a bug report for this hang?
I see that if I leave the cipher list blank, gnutls-cli negotiates TLS_RSA_AES_256_CBC_SHA; so if I set TLSCipherSuite TLS_RSA_AES_256_CBC_SHA, it works just fine.
How exactly do you find out? Then I might try the same on my PC.
The full list of ciphers that gnutls clients appear to negotiate by default is: TLS_DHE_RSA_AES_256_CBC_SHA, TLS_DHE_RSA_AES_128_CBC_SHA, TLS_DHE_RSA_3DES_EDE_CBC_SHA, TLS_DHE_DSS_AES_256_CBC_SHA, TLS_DHE_DSS_AES_128_CBC_SHA, TLS_DHE_DSS_3DES_EDE_CBC_SHA, TLS_DHE_DSS_RC4_128_SHA, TLS_RSA_AES_256_CBC_SHA, TLS_RSA_AES_128_CBC_SHA, TLS_RSA_3DES_EDE_CBC_SHA, TLS_RSA_RC4_128_SHA, TLS_RSA_RC4_128_MD5
>
So if you don't want to use the default cipher settings, you can perhaps choose one of these ciphers individually that meets your needs.
None of thise ciphers seems to work (at least in combination with Thunderbird).
I'm not sure if we should also try to migrate the OpenSSL-specific cipher specs to GNUTLS equivalents as part of the package upgrade.
That might be a good idea. Best regards, Timo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
