[Pkg-gnutls-maint] Bug#464625: please support OpenSSL-compatible ciphher nammes

Simon Josefsson simon at josefsson.org
Fri May 16 13:15:27 UTC 2008


I think that in general this suggestion is a good idea.

However, the OpenSSL cipher name parser is complicated; it uses a large
flex parser if I recall correctly.  Integrating this will take quite an
effort.  Patches welcome...

I think that both the openssl and the gnutls cipher name constructs are
unnecessarily complex: there are maybe max 100 registered TLS
ciphersuites.  A tiny portion of those are useful in normal situations.
I think it would be simpler if the administrator simply specified
exactly which TLS ciphersuite he wants, instead of trying to describe
what ciphersuites he want using some complicated naming scheme.

Implementing my idea will be considerably simpler, and while it doesn't
yield perfect compatibility with openssl in this area, it should be
simple to run some openssl command to find out which TLS ciphersuites a
particular "TLSCipherSuite" string corresponds to, and then specify
those ciphersuites directly.

Does anyone know if openssl supports specifying the cipher suite
directly in "TLSCipherSuite"?  If so, I think we should use the same
way, so that at least those strings become compatible.  Then there is a
least-common-denominator between gnutls and openssl wrt ciphersuite
names strings.

/Simon





More information about the Pkg-gnutls-maint mailing list