[Users] gnutls priority setting not honored for IMAP connections

Christoph Ehnes chris at filmkreis.tu-darmstadt.de
Sun May 31 00:00:03 CEST 2015 

Hi,

I installed the latest version (3.11.1, on debian) some days ago and
realized, that the gnutls_priority setting doesn't affect IMAP
connections (starttls via SMTP works, as far as I can say). Seems
to me, that always the weakest ciphersuite of the server is chosen,
which is not included in the setting.

My settings are:
gnutls_set_priority=1
gnutls_priority=SECURE128:-ECDHE-RSA:-ECDHE-ECDSA:-RSA:-MD5
Such a listing should translate into [1].

The server supports only DHE-ciphers and RSA-AES256 as the only
exception.
This leads to the selection of RSA-AES256 as cipher -- which isn't
in the priority list.

Any help is appreciated.

Regards,
Chris


--

[1]:
$ gnutls-cli --priority=SECURE128:-ECDHE-RSA:-ECDHE-ECDSA:-RSA:-MD5 -l
Cipher suites for SECURE128:-ECDHE-RSA:-ECDHE-ECDSA:-RSA:-MD5
TLS_DHE_RSA_AES_128_GCM_SHA256                    	0x00, 0x9e	TLS1.2
TLS_DHE_RSA_CAMELLIA_128_GCM_SHA256               	0xc0, 0x7c	TLS1.2
TLS_DHE_RSA_AES_256_GCM_SHA384                    	0x00, 0x9f	TLS1.2
TLS_DHE_RSA_CAMELLIA_256_GCM_SHA384               	0xc0, 0x7d	TLS1.2
TLS_DHE_RSA_AES_128_CBC_SHA1                      	0x00, 0x33	SSL3.0
TLS_DHE_RSA_AES_128_CBC_SHA256                    	0x00, 0x67	TLS1.0
TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1                 	0x00, 0x45	SSL3.0
TLS_DHE_RSA_CAMELLIA_128_CBC_SHA256               	0x00, 0xbe	TLS1.0
TLS_DHE_RSA_AES_256_CBC_SHA1                      	0x00, 0x39	SSL3.0
TLS_DHE_RSA_AES_256_CBC_SHA256                    	0x00, 0x6b	TLS1.0
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1                 	0x00, 0x88	SSL3.0
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA256               	0x00, 0xc4	TLS1.0
TLS_DHE_DSS_AES_128_GCM_SHA256                    	0x00, 0xa2	TLS1.2
TLS_DHE_DSS_CAMELLIA_128_GCM_SHA256               	0xc0, 0x80	TLS1.2
TLS_DHE_DSS_AES_256_GCM_SHA384                    	0x00, 0xa3	TLS1.2
TLS_DHE_DSS_CAMELLIA_256_GCM_SHA384               	0xc0, 0x81	TLS1.2
TLS_DHE_DSS_AES_128_CBC_SHA1                      	0x00, 0x32	SSL3.0
TLS_DHE_DSS_AES_128_CBC_SHA256                    	0x00, 0x40	TLS1.0
TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1                 	0x00, 0x44	SSL3.0
TLS_DHE_DSS_CAMELLIA_128_CBC_SHA256               	0x00, 0xbd	TLS1.0
TLS_DHE_DSS_AES_256_CBC_SHA1                      	0x00, 0x38	SSL3.0
TLS_DHE_DSS_AES_256_CBC_SHA256                    	0x00, 0x6a	TLS1.0
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1                 	0x00, 0x87	SSL3.0
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA256               	0x00, 0xc3	TLS1.0

Certificate types: CTYPE-X.509
[...]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20150531/1c6e43b3/attachment.sig>

More information about the Users mailing list