[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gnutls-cli fails to handshake with Exchange server that uses DES-CBC
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: gnutls-cli fails to handshake with Exchange server that uses DES-CBC3-SHA cipher |
Date: |
Mon, 2 Apr 2012 17:46:30 +0200 |
2012/4/2 Ted Zlatanov <address@hidden>:
> NM> You cannot in general distinguish a negotiation with a broken server and
> NM> negotiation failure. What (I think) browsers do is if negotiation fails
> NM> they fallback to the most compatible mode (SSL 3.0 or so).
> So you're suggesting to try a weaker (more compatible) priority string,
> right? We could do that per server name. Considering we have just one
> bug report on this and from a broken server, I'm not sure it's worth the
> effort to automate the fallback. In your experience, is this a
> widespread problem worth addressing through code, or is it better as a
> FAQ?
Experience has shown that there are quite many broken servers [0]
out there, so we'd encourage applications to have a fallback strategy.
Whether that would include manual intervention of the user or not is not
as important.
regards,
Nikos
[0]. http://tools.ietf.org/id/draft-pettersen-tls-interop-experience-00.txt