Disable TLS 1.1 with gnutls by default as it is causing problems
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neon27 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
By default gnutls tries with TLS 1.1, but most servers only support TLS 1.0, most will handle fall-back to this version gracefully, but a lot won't.
Also TLS 1.0 is still the default for almost all browsers even if TLS 1.1 and 1.2 is supported. Fx. in IE on vista and Windows 7 both are disabled unless you edit the registry, Firefox and Chrome also only tries TLS 1.0. So having subversion being the only application defaulting to TLS 1.1 might not be the best idea.
GnuTLS bug with more details:
https:/
Patch to disable TLS 1.1 by default:
diff --git a/src/ne_socket.c b/src/ne_socket.c
index 31e96f1..efa1086 100644
--- a/src/ne_socket.c
+++ b/src/ne_socket.c
@@ -1646,7 +1646,7 @@ int ne_sock_
#elif defined(
gnutls_
gnutls_
- gnutls_
+ gnutls_
/* Set up dummy session cache. */
gnutls_
@@ -1726,7 +1726,7 @@ int ne_sock_
#elif defined(
/* DH and RSA params are set in ne_ssl_
gnutls_
- gnutls_
+ gnutls_
gnutls_
gnutls_