The approach above works well to create consistent system-wide settings for cooperative GnuTLS applications. When an application however does not use the gnutls_set_default_priority or gnutls_set_default_priority_append functions, the method is not sufficient to prevent applications from using protocols or algorithms forbidden by a local policy. The override method described below enables the deprecation of algorithms and protocols system-wide for all applications.
The available options must be set in the
[overrides] section of the
configuration file and can be
insecure-sig-for-cert: to mark the signature algorithm as insecure when used in certificates.
insecure-sig: to mark the signature algorithm as insecure for any use.
insecure-hash: to mark the hash algorithm as insecure for digital signature use (provides a more generic way to disable digital signatures for broken hash algorithms).
disabled-version: to disable the specified TLS versions.
tls-disabled-cipher: to disable the specified ciphers for use in the TLS or DTLS protocols.
tls-disabled-mac: to disable the specified MAC algorithms for use in the TLS or DTLS protocols.
tls-disabled-group: to disable the specified group for use in the TLS or DTLS protocols.
tls-disabled-kx: to disable the specified key exchange algorithms for use in the TLS or DTLS protocols (applies to TLS1.2 or earlier).
Each of the options can be repeated multiple times when multiple values need to be disabled.
The valid values for the options above can be found in the ’Protocols’, ’Digests’
’PK-signatures’, ’Protocols’, ’Ciphrers’, and ’MACs’ fields of the output of
The following example marks as insecure all digital signature algorithms which depend on SHA384, as well as the RSA-SHA1 signature algorithm.
[overrides] insecure-hash = sha384 insecure-sig = rsa-sha1
The following example marks RSA-SHA256 as insecure for use in certificates and disables the TLS1.0 and TLS1.1 protocols.
[overrides] insecure-sig-for-cert = rsa-sha256 disabled-version = tls1.0 disabled-version = tls1.1
The following example disables the
HMAC-SHA1 MAC algorithm and the
group for TLS and DTLS protocols.
[overrides] tls-disabled-cipher = aes-128-cbc tls-disabled-cipher = aes-256-cbc tls-disabled-mac = sha1 tls-disabled-group = group-ffdhe8192