diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-05-08 09:52:39 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-05-08 09:52:39 +0200 |
commit | fe8358fb8eca64a61b225416847e79af75c4e0a9 (patch) | |
tree | 11ddf3afa659eeb8276cc5792e3a85f602e61855 /doc | |
parent | f55dd6e87063530422c6b1792b5b46fcfe98f841 (diff) | |
download | gnutls-fe8358fb8eca64a61b225416847e79af75c4e0a9.tar.gz |
Added discussion on compatibility issues.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/cha-intro-tls.texi | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi index 0315ac942a..31fe49a23d 100644 --- a/doc/cha-intro-tls.texi +++ b/doc/cha-intro-tls.texi @@ -377,6 +377,7 @@ that you consider weak. All the supported ciphersuites are shown in @ref{ciphersuites}. @subsection Priority strings +@node Priority strings In order to specify cipher suite preferences, the previously shown priority functions accept a string that specifies the algorithms to be enabled in a TLS handshake. @@ -602,6 +603,31 @@ It might also be useful to be able to check for expired sessions in order to remove them, and save space. The function @ref{gnutls_db_check_entry} is provided for that reason. +@subsection Compatibility issues +The @acronym{TLS} handshake is a complex procedure that negotiates all +required parameters for a secure session. @acronym{GnuTLS} supports +several @acronym{TLS} extensions, as well as the latest known published +version being @acronym{TLS} 1.2. However few implementations are not able to +properly interoperate once faced with extensions or version protocols +they do not support and understand. The @acronym{TLS} protocol allows for +graceful downgrade to the commonly supported options, but practice shows that +it is not always implemented correctly. + +Because there is no way to handle maximum compatibility with such broken peers +without sacrificing security, @acronym{GnuTLS} ignores such peers by default. +This might not be acceptable in several cases +thus we allow enabling maximum compatibility with such peers using +priority strings (see @ref{Priority strings}). An example priority string that will +disable all supported @acronym{TLS} protocol versions except for +the widely supported @acronym{SSL} 3.0 and @acronym{TLS} 1.0 +is shown below: +@example +NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT +@end example +This priority string provides wider compatibility to broken peers. +We suggest however to use the normal defaults and only switch to such compatibility +modes only when compatibility issues occur. + @node TLS Extensions @section TLS Extensions @cindex TLS Extensions |