About SSL/TLS versions and Ciphers that lftp can use

Issue

The customer would like to know SSL/TLS versions and kinds of ciphers that can be used by the lftp command in RHEL7.2. As it depends on the library that the lftp command uses according to the man page of lftp, he also would like to know which of GnuTLS or OpenSSL is actually used by the lftp.

• Is there any way how to know which of GnuTLS or OpenSSL is used by the lftp ? Please let me know the way, if any.

• What kinds of ciphers can be used by the lftp ? The customer supposes that all the ciphers that are displayed by gnutls-cli -lcan be used by the lftp if it uses GnuTLS. Is his understanding correct ?

  $ gnutls-cli -l
  Cipher suites:
  TLS_RSA_NULL_MD5                                        0x00, 0x01      SSL3.0
  TLS_RSA_NULL_SHA1                                       0x00, 0x02      SSL3.0
  TLS_RSA_NULL_SHA256                                     0x00, 0x3b      TLS1.0
  TLS_RSA_ARCFOUR_128_SHA1                                0x00, 0x05      SSL3.0
  TLS_RSA_ARCFOUR_128_MD5                                 0x00, 0x04      SSL3.0
  TLS_RSA_3DES_EDE_CBC_SHA1                               0x00, 0x0a      SSL3.0
  TLS_RSA_AES_128_CBC_SHA1                                0x00, 0x2f      SSL3.0
  TLS_RSA_AES_256_CBC_SHA1                                0x00, 0x35      SSL3.0
  <snipped>
  

• What versions of SSL/TLS can be used by the lftp ? According to the source code, I think that SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 can be used but I'm not sure. If my understanding is wrong, please correct.

  lftp-4.4.8-7.el7.src.rpm
  src/lftp_ssl.cc:
  lftp_ssl_openssl_instance::lftp_ssl_openssl_instance()
   {
   <snipped>
    static const struct ssl_option {
       const char name[8];
       long option;
    } opt_table[] ={
       {"-SSL3.0",SSL_OP_NO_SSLv3},
       {"-TLS1.0",SSL_OP_NO_TLSv1},
       {"-TLS1.1",SSL_OP_NO_TLSv1_1},
       {"-TLS1.2",SSL_OP_NO_TLSv1_2},
       {"",0}
  
  gnutls-3.3.8-12.el7_1.1.src.rpm
  lib/algorithms/protocols.c:
  /* TLS Versions */
  static const version_entry_st sup_versions[] = {
      {"SSL3.0", GNUTLS_SSL3, 3, 0, GNUTLS_STREAM, 1, 0, 0, 0, 0},
      {"TLS1.0", GNUTLS_TLS1, 3, 1, GNUTLS_STREAM, 1, 0, 1, 0, 0},
      {"TLS1.1", GNUTLS_TLS1_1, 3, 2, GNUTLS_STREAM, 1, 1, 1, 0, 0},
      {"TLS1.2", GNUTLS_TLS1_2, 3, 3, GNUTLS_STREAM, 1, 1, 1, 1, 1},
      {"DTLS0.9", GNUTLS_DTLS0_9, 1, 0, GNUTLS_DGRAM, 1, 1, 1, 0, 0}, /* Cisco AnyConnect (based on about OpenSSL 0.9.8e) */
      {"DTLS1.0", GNUTLS_DTLS1_0, 254, 255, GNUTLS_DGRAM, 1, 1, 1, 0, 0},     /* 1.1 over datagram */
      {"DTLS1.2", GNUTLS_DTLS1_2, 254, 253, GNUTLS_DGRAM, 1, 1, 1, 1, 1},     /* 1.2 over datagram */
      {0, 0, 0, 0, 0}
  };
  

• If lftp uses GnuTLS, could you tell me how to specify SSL/TLS versions to be used by the lftp ? According to the man page of lftp and https://access.redhat.com/discussions/2525031 the following setting specify to use TLS 1.2 and not to use SSL 3.0 or TLS 1.1 when lftp uses OpenSSL but they don't mention GnuTLS:

  set ssl:priority "NORMAL:-SSL3.0:-TLS1.0:-TLS1.1:+TLS1.2