The %COMPAT keyword no longer reduces security.

Introduced the LEGACY keyword which will enable the settings used in GnuTLS 3.2.x for NORMAL keyword. That is to be used in cases where compatibility with weak or misconfigured servers is required.
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2014-03-27 11:13:42 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2014-03-27 11:13:42 +0100
commit: 9217399323f44b7a0502a21e8d415dcd2adf7c16 (patch)
tree: 7993d3b7463e58dcec71a75d04bfedda070e1c59 /doc
parent: ded4b70aac7ba1a9910d4dd9f57f875c0baa5722 (diff)
download: gnutls-9217399323f44b7a0502a21e8d415dcd2adf7c16.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 8c4142dce8..c76539e4c5 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -912,6 +912,13 @@ and the certificate verification profile is set to GNUTLS_PROFILE_LOW (80-bits).
 
 This priority string implicitly enables DHE and ECDHE.
 
+@item LEGACY @tab
+This sets the NORMAL settings that were used for GnuTLS 3.2.x or earlier. There is
+no verification profile set, and the allowed DH primes are considered
+weak today (but are often used by misconfigured servers).
+
+This priority string implicitly enables DHE and ECDHE.
+
 @item PFS @tab
 Means all the known to be secure ciphersuites that support perfect forward
 secrecy. The ciphers are sorted by security
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2014-03-27 11:13:42 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2014-03-27 11:13:42 +0100
commit	9217399323f44b7a0502a21e8d415dcd2adf7c16 (patch)
tree	7993d3b7463e58dcec71a75d04bfedda070e1c59 /doc
parent	ded4b70aac7ba1a9910d4dd9f57f875c0baa5722 (diff)
download	gnutls-9217399323f44b7a0502a21e8d415dcd2adf7c16.tar.gz