7.9.5 Interoperability

The TLS protocols support many ciphersuites, extensions and version numbers. As a result, few implementations are not able to properly interoperate once faced with extensions or version protocols they do not support and understand. The TLS protocol allows for a graceful downgrade to the commonly supported options, but practice shows it is not always implemented correctly.

Because there is no way to achieve maximum interoperability with broken peers without sacrificing security, GnuTLS ignores such peers by default. This might not be acceptable in cases where maximum compatibility is required. Thus we allow enabling compatibility with broken peers using priority strings (see Priority strings). An example priority string that is known to provide wide compatibility even with broken peers is shown below:

NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT

This priority string will only enable SSL 3.0 and TLS 1.0 as protocols and will disable, via the %COMPAT keyword, several TLS protocol options that are known to cause compatibility problems. Note however that there are known attacks against those protocol versions and this mode trades security for compatibility.

This document was generated on January 4, 2012 using texi2html 5.0.