Next: Compatibility with the OpenSSL library, Previous: Channel Bindings, Up: Advanced topics [Contents][Index]
The TLS protocols support many ciphersuites, extensions and version numbers. As a result, few implementations are not able to properly interoperate once faced with extensions or version protocols they do not support and understand. The TLS protocol allows for a graceful downgrade to the commonly supported options, but practice shows it is not always implemented correctly.
Because there is no way to achieve maximum interoperability with broken peers without sacrificing security, GnuTLS ignores such peers by default. This might not be acceptable in cases where maximum compatibility is required. Thus we allow enabling compatibility with broken peers using priority strings (see Priority Strings). A conservative priority string that would disable certain TLS protocol options that are known to cause compatibility problems, is shown below.
NORMAL:%COMPAT
For very old broken peers that do not tolerate TLS version numbers over TLS 1.0 another priority string is:
NORMAL:-VERS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT
This priority string will in addition to above, only enable SSL 3.0 and TLS 1.0 as protocols.