1gnutls_priority_init(3) gnutls gnutls_priority_init(3)
2
3
4
6 gnutls_priority_init - Sets priorities for the cipher suites supported
7 by gnutls.
8
10 #include <gnutls/gnutls.h>
11
12 int gnutls_priority_init(gnutls_priority_t * priority_cache, const char
13 * priorities, const char ** err_pos);
14
16 gnutls_priority_t * priority_cache
17 is a gnutls_prioritity_t structure.
18
19 const char * priorities
20 is a string describing priorities
21
22 const char ** err_pos
23 In case of an error this will have the position in the
24 string the error occured
25
27 Sets priorities for the ciphers, key exchange methods, macs and com‐
28 pression methods. This is to avoid using the gnutls_*_priority() func‐
29 tions.
30
31 The priorities option allows you to specify a semi-colon separated list
32 of the cipher priorities to enable.
33
34 Unless the first keyword is "NONE" the defaults (in preference order)
35 are for TLS protocols TLS1.1, TLS1.0, SSL3.0; for compression NULL; for
36 certificate types X.509, OpenPGP.
37
38 For key exchange algorithms when in NORMAL or SECURE levels the perfect
39 forward secrecy algorithms take precendence of the other protocols. In
40 all cases all the supported key exchange algorithms are enabled (except
41 for the RSA-EXPORT which is only enabled in EXPORT level).
42
43 Note that although one can select very long key sizes (such as 256
44 bits) for symmetric algorithms, to actually increase security the pub‐
45 lic key algorithms have to use longer key sizes as well.
46
47 For all the current available algorithms and protocols use "gnutls-cli
48 -l" to get a listing.
49
51 Some keywords are defined to provide quick access to common prefer‐
52 ences.
53
54 "PERFORMANCE" means all the "secure" ciphersuites are enabled, limited
55 to 128 bit ciphers and sorted by terms of speed performance.
56
57 "NORMAL" means all "secure" ciphersuites. The 256-bit ciphers are
58 included as a fallback only. The ciphers are sorted by security mar‐
59 gin.
60
61 "SECURE128" means all "secure" ciphersuites with ciphers up to 128
62 bits, sorted by security margin.
63
64 "SECURE256" means all "secure" ciphersuites including the 256 bit
65 ciphers, sorted by security margin.
66
67 "EXPORT" means all ciphersuites are enabled, including the low-security
68 40 bit ciphers.
69
70 "NONE" means nothing is enabled. This disables even protocols and com‐
71 pression methods.
72
74 "!" or "-" appended with an algorithm will remove this algorithm.
75
76 "+" appended with an algorithm will add this algorithm.
77
78 "%COMPAT" will enable compatibility features for a server.
79
80 "%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is now
81 the default for clients, but will change once more servers support the
82 safe renegotiation TLS fix).
83
84 "%SAFE_RENEGOTIATION" will allow safe renegotiation only (this is the
85 default for servers - that will reject clients trying to perform an
86 unsafe renegotiation).
87
88 "%INITIAL_SAFE_RENEGOTIATION" will force initial safe negotiation even
89 if renegotiation wasn't requested. Only valid for server side and
90 implies "%SAFE_RENEGOTIATION".
91
92 "%DISABLE_SAFE_RENEGOTIATION" will disable safe renegotiation com‐
93 pletely. Do not use unless you know what you are doing. Testing pur‐
94 poses only.
95
96 "%SSL3_RECORD_VERSION" will use SSL3.0 record version in client hello.
97
98 "%VERIFY_ALLOW_SIGN_RSA_MD5" will allow RSA-MD5 signatures in certifi‐
99 cate chains.
100
101 "%VERIFY_ALLOW_X509_V1_CA_CRT" will allow V1 CAs in chains.
102
104 To avoid collisions in order to specify a compression algorithm in this
105 string you have to prefix it with "COMP-", protocol versions with
106 "VERS-" and certificate types with "CTYPE-". All other algorithms don't
107 need a prefix.
108
110 "NORMAL:!AES-128-CBC" means normal ciphers except for AES-128.
111
112 "EXPORT:!VERS-TLS1.0:+COMP-DEFLATE" means that export ciphers are
113 enabled, TLS 1.0 is disabled, and libz compression enabled.
114
115 "NONE:+VERS-TLS1.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL", "NORMAL",
116 "%COMPAT".
117
119 On syntax error GNUTLS_E_INVALID_REQUEST is returned, GNUTLS_E_SUCCESS
120 on success, or an error code.
121
123 Report bugs to <bug-gnutls@gnu.org>. GnuTLS home page:
124 http://www.gnu.org/software/gnutls/ General help using GNU software:
125 http://www.gnu.org/gethelp/
126
128 Copyright © 2008 Free Software Foundation.
129 Copying and distribution of this file, with or without modification,
130 are permitted in any medium without royalty provided the copyright
131 notice and this notice are preserved.
132
134 The full documentation for gnutls is maintained as a Texinfo manual.
135 If the info and gnutls programs are properly installed at your site,
136 the command
137
138 info gnutls
139
140 should give you access to the complete manual.
141
142
143
144gnutls 2.8.6 gnutls_priority_init(3)