1
2
3
4
5@deftypefun {int} {gnutls_priority_init2} (gnutls_priority_t * @var{priority_cache}, const char * @var{priorities}, const char ** @var{err_pos}, unsigned @var{flags})
6@var{priority_cache}: is a @code{gnutls_prioritity_t}  type.
7
8@var{priorities}: is a string describing priorities (may be @code{NULL} )
9
10@var{err_pos}: In case of an error this will have the position in the string the error occurred
11
12@var{flags}: zero or @code{GNUTLS_PRIORITY_INIT_DEF_APPEND}
13
14Sets priorities for the ciphers, key exchange methods, and macs.
15The  @code{priority_cache} should be deinitialized
16using @code{gnutls_priority_deinit()} .
17
18The @code{priorities}  option allows you to specify a colon
19separated list of the cipher priorities to enable.
20Some keywords are defined to provide quick access
21to common preferences.
22
23When  @code{flags} is set to @code{GNUTLS_PRIORITY_INIT_DEF_APPEND}  then the  @code{priorities} specified will be appended to the default options.
24
25Unless there is a special need, use the "NORMAL" keyword to
26apply a reasonable security level, or "NORMAL:%COMPAT" for compatibility.
27
28"PERFORMANCE" means all the "secure" ciphersuites are enabled,
29limited to 128 bit ciphers and sorted by terms of speed
30performance.
31
32"LEGACY" the NORMAL settings for GnuTLS 3.2.x or earlier. There is
33no verification profile set, and the allowed DH primes are considered
34weak today.
35
36"NORMAL" means all "secure" ciphersuites. The 256-bit ciphers are
37included as a fallback only.  The ciphers are sorted by security
38margin.
39
40"PFS" means all "secure" ciphersuites that support perfect forward secrecy.
41The 256-bit ciphers are included as a fallback only.
42The ciphers are sorted by security margin.
43
44"SECURE128" means all "secure" ciphersuites of security level 128-bit
45or more.
46
47"SECURE192" means all "secure" ciphersuites of security level 192-bit
48or more.
49
50"SUITEB128" means all the NSA SuiteB ciphersuites with security level
51of 128.
52
53"SUITEB192" means all the NSA SuiteB ciphersuites with security level
54of 192.
55
56"NONE" means nothing is enabled.  This disables everything, including protocols.
57
58"@@KEYWORD1,KEYWORD2,..." The system administrator imposed settings.
59The provided keyword(s) will be expanded from a configuration-time
60provided file - default is: /etc/gnutls/config.
61Any attributes that follow it, will be appended to the expanded
62string. If multiple keywords are provided, separated by commas,
63then the first keyword that exists in the configuration file
64will be used. At least one of the keywords must exist, or this
65function will return an error. Typical usage would be to specify
66an application specified keyword first, followed by "SYSTEM" as
67a default fallback. e.g., " @code{LIBVIRT} ,SYSTEM:!-VERS-SSL3.0" will
68first try to find a config file entry matching "LIBVIRT", but if
69that does not exist will use the entry for "SYSTEM". If "SYSTEM"
70does not exist either, an error will be returned. In all cases,
71the SSL3.0 protocol will be disabled. The system priority file
72entries should be formatted as "KEYWORD=VALUE", e.g.,
73"SYSTEM=NORMAL:+ARCFOUR-128".
74
75Special keywords are "!", "-" and "+".
76"!" or "-" appended with an algorithm will remove this algorithm.
77"+" appended with an algorithm will add this algorithm.
78
79Check the GnuTLS manual section "Priority strings" for detailed
80information.
81
82@strong{Examples:}
83"NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL"
84
85"NORMAL:+ARCFOUR-128" means normal ciphers plus ARCFOUR-128.
86
87"SECURE128:-VERS-SSL3.0" means that only secure ciphers are
88and enabled, SSL3.0 is disabled.
89
90"NONE:+VERS-TLS-ALL:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL:+SIGN-RSA-SHA1",
91
92"NONE:+VERS-TLS-ALL:+AES-128-CBC:+ECDHE-RSA:+SHA1:+COMP-NULL:+SIGN-RSA-SHA1:+CURVE-SECP256R1",
93
94"SECURE256:+SECURE128",
95
96Note that "NORMAL:%COMPAT" is the most compatible mode.
97
98A @code{NULL}   @code{priorities} string indicates the default priorities to be
99used (this is available since GnuTLS 3.3.0).
100
101@strong{Returns:} On syntax error @code{GNUTLS_E_INVALID_REQUEST}  is returned,
102@code{GNUTLS_E_SUCCESS}  on success, or an error code.
103
104@strong{Since:} 3.6.3
105@end deftypefun
106