1gnutls_priority_init(3)             gnutls             gnutls_priority_init(3)
2
3
4

NAME

6       gnutls_priority_init  - Sets priorities for the cipher suites supported
7       by gnutls.
8

SYNOPSIS

10       #include <gnutls/gnutls.h>
11
12       int gnutls_priority_init(gnutls_priority_t * priority_cache, const char
13       * priorities, const char ** err_pos);
14

ARGUMENTS

16       gnutls_priority_t * priority_cache
17                   is a gnutls_prioritity_t structure.
18
19       const char * priorities
20                   is a string describing priorities
21
22       const char ** err_pos
23                   In  case  of  an  error  this will have the position in the
24                   string the error occured
25

DESCRIPTION

27       Sets priorities for the ciphers, key exchange methods,  macs  and  com‐
28       pression  methods. This is to avoid using the gnutls_*_priority() func‐
29       tions.
30
31       The priorities option allows you to specify a semi-colon separated list
32       of the cipher priorities to enable.
33
34       Unless  the  first keyword is "NONE" the defaults (in preference order)
35       are for TLS protocols TLS1.1, TLS1.0, SSL3.0; for compression NULL; for
36       certificate types X.509, OpenPGP.
37
38       For key exchange algorithms when in NORMAL or SECURE levels the perfect
39       forward secrecy algorithms take precendence of the other protocols.  In
40       all cases all the supported key exchange algorithms are enabled (except
41       for the RSA-EXPORT which is only enabled in EXPORT level).
42
43       Note that although one can select very long  key  sizes  (such  as  256
44       bits)  for symmetric algorithms, to actually increase security the pub‐
45       lic key algorithms have to use longer key sizes as well.
46
47       For all the current available algorithms and protocols use  "gnutls-cli
48       -l" to get a listing.
49

COMMON KEYWORDS

51       Some  keywords  are  defined  to provide quick access to common prefer‐
52       ences.
53
54       "PERFORMANCE" means all the "secure" ciphersuites are enabled,  limited
55       to 128 bit ciphers and sorted by terms of speed performance.
56
57       "NORMAL"  means  all  "secure"  ciphersuites.  The  256-bit ciphers are
58       included as a fallback only.  The ciphers are sorted by  security  mar‐
59       gin.
60
61       "SECURE128"  means  all  "secure"  ciphersuites  with ciphers up to 128
62       bits, sorted by security margin.
63
64       "SECURE256" means all  "secure"  ciphersuites  including  the  256  bit
65       ciphers, sorted by security margin.
66
67       "EXPORT" means all ciphersuites are enabled, including the low-security
68       40 bit ciphers.
69
70       "NONE" means nothing is enabled.  This disables even protocols and com‐
71       pression methods.
72

SPECIAL KEYWORDS

74       "!" or "-" appended with an algorithm will remove this algorithm.
75
76       "+" appended with an algorithm will add this algorithm.
77
78       "%COMPAT" will enable compatibility features for a server.
79
80       "%UNSAFE_RENEGOTIATION"  will  allow  unsafe renegotiation (this is now
81       the default for clients, but will change once more servers support  the
82       safe renegotiation TLS fix).
83
84       "%SAFE_RENEGOTIATION"  will  allow safe renegotiation only (this is the
85       default for servers - that will reject clients  trying  to  perform  an
86       unsafe renegotiation).
87
88       "%INITIAL_SAFE_RENEGOTIATION"  will force initial safe negotiation even
89       if renegotiation wasn't requested.  Only  valid  for  server  side  and
90       implies "%SAFE_RENEGOTIATION".
91
92       "%DISABLE_SAFE_RENEGOTIATION"  will  disable  safe  renegotiation  com‐
93       pletely. Do not use unless you know what you are  doing.  Testing  pur‐
94       poses only.
95
96       "%SSL3_RECORD_VERSION" will use SSL3.0 record version in client hello.
97
98       "%VERIFY_ALLOW_SIGN_RSA_MD5"  will allow RSA-MD5 signatures in certifi‐
99       cate chains.
100
101       "%VERIFY_ALLOW_X509_V1_CA_CRT" will allow V1 CAs in chains.
102

NAMESPACE CONCERN

104       To avoid collisions in order to specify a compression algorithm in this
105       string  you  have  to  prefix  it  with "COMP-", protocol versions with
106       "VERS-" and certificate types with "CTYPE-". All other algorithms don't
107       need a prefix.
108

EXAMPLES

110       "NORMAL:!AES-128-CBC" means normal ciphers except for AES-128.
111
112       "EXPORT:!VERS-TLS1.0:+COMP-DEFLATE"   means  that  export  ciphers  are
113       enabled, TLS 1.0 is disabled, and libz compression enabled.
114
115       "NONE:+VERS-TLS1.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL",       "NORMAL",
116       "%COMPAT".
117

RETURNS

119       On  syntax error GNUTLS_E_INVALID_REQUEST is returned, GNUTLS_E_SUCCESS
120       on success, or an error code.
121

REPORTING BUGS

123       Report   bugs   to    <bug-gnutls@gnu.org>.     GnuTLS    home    page:
124       http://www.gnu.org/software/gnutls/  General  help  using GNU software:
125       http://www.gnu.org/gethelp/
126
128       Copyright © 2008 Free Software Foundation.
129       Copying and distribution of this file, with  or  without  modification,
130       are  permitted  in  any  medium  without royalty provided the copyright
131       notice and this notice are preserved.
132

SEE ALSO

134       The full documentation for gnutls is maintained as  a  Texinfo  manual.
135       If  the  info  and gnutls programs are properly installed at your site,
136       the command
137
138              info gnutls
139
140       should give you access to the complete manual.
141
142
143
144gnutls                               2.8.6             gnutls_priority_init(3)
Impressum