[Pkg-gnutls-maint] Bug#464625: please support OpenSSL-compatible ciphher nammes
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sun May 18 09:48:44 UTC 2008
> I think that both the openssl and the gnutls cipher name constructs are
> unnecessarily complex: there are maybe max 100 registered TLS
> ciphersuites. A tiny portion of those are useful in normal situations.
> I think it would be simpler if the administrator simply specified
> exactly which TLS ciphersuite he wants, instead of trying to describe
> what ciphersuites he want using some complicated naming scheme.
The problem with direct ciphersuite setting, is that administrators
don't know what each ciphersuite does, offers or costs. Maybe they don't
even care. That's why I think that the new priority API should be used
for applications that want to provide configurable security levels such
as "PERFORMANCE", "NORMAL", "SECURE128", "SECURE256" and even set
individual ciphers if needed.
By forcing an administrator to learn what 100 TLS ciphersuites do, and
let him find the combinations he needs, it could have the negative
effect of having reduced security. If one doesn't know what ciphersuites
are he would just google and find a configuration that works no matter
if it is secure or not. Interface should be simple to use for non-TLS
experts.
For this reason I'd suggest to use and provide a reasonable default
(NORMAL, or HIGH and let others modify it).
The functions and syntax are discussed here:
http://www.gnu.org/software/gnutls/manual/html_node/Core-functions.html#gnutls_priority_init
More information about the Pkg-gnutls-maint
mailing list