On Thu, 6 Jul 2017 19:40:58 +0200 Detlef Graef <d.graef-antagkrnahcb1svskn2...@public.gmane.org> wrote:
> Am 06.07.2017 um 04:30 schrieb Duncan: > > Duncan posted on Thu, 06 Jul 2017 01:14:18 +0000 as excerpted: > > > >> FWIW I think the optimum, if it's not too difficult to achieve, would be > >> to let it be auto-negotiated, of course favoring the newer versions if > >> the server supports them as well. If getting the negotiation right is > >> too difficult, I'd suggest making it configurable, at /least/ via file, > >> but of course I'd personally prefer gui. > > > > Thinking about it a bit more... > > > > Even better would be auto-negotiation, but with a configured minimum > > version, which would of course default to 1.0 for backward compatibility, > > but users could up that to 1.3 or whatever if they knew their provider > > supported it. Then if pan couldn't negotiate the configured minimum, > > instead of falling back to something less secure it'd hard-fail. > > > > Then the configuration could be servers.xml only without either > > regression if only the existing 1.0 was server-supported, or too big a > > security compromise if higher was, because the auto-negotiation would > > then get that, for gui-only users. > > > > I believe that'd be my ideal, with gui or no-gui config left up to a vote > > here or the person doing the patch, I guess. > > The GnuTLS library does auto-negotiation. > > It is possible to set the TLS version to "VERS-TLS-ALL" then the TLS > version is auto-negotiated. Other parameters can be set too. > > For a quick test I have replaced line number 813 in the file > socket-impl-openssl.cc with the following line: > > > "NONE:+VERS-TLS-ALL:+CIPHER-ALL:+COMP-ALL:+KX-ALL:SIGN-ALL:+CURVE-ALL:+CTYPE-ALL:+MAC-ALL", > NULL); > > This enables all TLS versions (1.0, 1.1, 1.2) and all other options. > > See: https://gnutls.org/manual/html_node/Priority-Strings.html > > After building Pan with gnu-tls option enabled everything seems to work > in my setup. Detlef's patch addressing this landed in master yesterday. Please test it and report back should there be any secure connection issues. Thanks! Cheers, pk _______________________________________________ Pan-users mailing list Pan-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/pan-users
