On Tue, Jul 02, 2019 at 09:36:25AM -0700, Quanah Gibson-Mount wrote:
b) That the way to do this with GnuTLS is via the TLSCipherSuite setting. The man page directs one to look at the gnutls-cli(1) man page, in particular, the --priority setting.
If we pull up this man page (https://linux.die.net/man/1/gnutls-cli for example), there are some examples provided there. Based on those examples, it looks like perhaps something along the lines of:
"NONE:+VERS-SSL3.0" would enable *just* SSL3.0. I'd guess you could set it to something like "NORMAL:+VERS-SSL3.0" or perhaps "EXPORT:+VERS-SSL3.0"
NORMAL:+VERS-SSL3.0 sounds like the right idea. I'd avoid EXPORT unless really, absolutely necessary. Depending on the specific client software you may also have to enable some additional cipher suite(s).
I would also add that you can use gnutls-cli(1) to verify and test your priority strings.
e.g.: gnutls-cli -l --priority 'NORMAL:+VERS-SSL3.0' will show you the ciphers and other features enabled by that priority string, and inform you if the string is not valid.