Re: [ngIRCd-ML] ngIRCd 21

Christoph Biedl wrote...

As far as I understand the code and captured traffic, setting the cipher list using gnutls_priority_set in ConnSSL_Init_SSL has no effect. The ciphers offered in the TLS "Client Hello" packet are weak and appearently it's to late for cipher negotiation.

Since even connection manually using "gnutls-cli --priority SECURE128" fails I assume "SECURE128" might be a good choice for a server but a terrible idea for a client.

So I'd suggest to revert the last hunk of b9006ace that applied the CipherList settings to outgoing connections, too. Instead, leave it to NORMAL and let the remote side pick the ciphers it considers usable.

Christoph