Bug#464625: please support OpenSSL-compatible ciphher nammes

brian m. carlson sandals at crustytoothpaste.net
Thu Feb 3 22:15:27 UTC 2011


On Sun, May 18, 2008 at 12:48:44PM +0300, Nikos Mavrogiannopoulos wrote:
> The problem with direct ciphersuite setting, is that administrators
> don't know what each ciphersuite does, offers or costs. Maybe they don't
> even care. That's why I think that the new priority API should be used
> for applications that want to provide configurable security levels such
> as "PERFORMANCE", "NORMAL", "SECURE128", "SECURE256" and even set
> individual ciphers if needed.

I am a system administrator and programmer and I do know what each
ciphersuite does, offers, and costs.  I've implemented cryptographic
algorithms, including the second-fastest non-assembly implementation of
MD5 (according to my testing).  I'm well-versed in cryptography and have
strong opinions about what algorithms I want and do not want; those
opinions are based on research and fact, not a quick Google search.

In fact, I happen to know that the documentation for GnuTLS is wrong
when it claims that "[t]here are no known weaknesses of" MD2.  Such
weaknesses have been known for quite some time; in fact, certain
weaknesses in the compression function have been known longer than
(AFAICT) GnuTLS has existed.  And that's to say nothing about it being
dog-slow (14 times slower than SHA-256).

> For this reason I'd suggest to use and provide a reasonable default
> (NORMAL, or HIGH and let others modify it).

Obviously, as we've discussed before, we disagree on a "reasonable
default".  If we can agree on such a default, that's fine, as long as it
can be changed by the administrator.  But that's not the matter here.
This bug is discussing the use of OpenSSL-compatible cipher names.

OpenSSL is *the* choice for cryptographic implementation in the
GNU/Linux world.  Which implementation (OpenSSL or GnuTLS) is actually
being used is an implementation detail.  If Debian uses GnuTLS for a
program and Fedora uses OpenSSL, the cipher specifications for that
program will be totally different—for no good reason.  There's really no
good reason for this.

And the OpenSSL names, besides being more common, are shorter, clearer,
and more easily understood.  The GnuTLS priorities (which I am not
proposing removing, only adding to) are defined only very vaguely in
gnutls-cli(1).  Looking at the source, RC4 is defined in SECURE256, and
due to major weaknesses in its key scheduling (which can be used very
effectively against e.g. WEP), I would absolutely not want to use it if
any other choice were available.  Had I not looked at the source, I
would never have known this.  I would certainly not class it as
"secure".  The OpenSSL syntax allows me to specify that it is to be the
last possible choice: AES:CAMELLIA:3DES:@STRENGTH:+RC4:!EXPORT.

I think it's reasonable to allow OpenSSL-compatible ciphersuite names.
In fact, I think it's a really good idea.  I would even implement it
myself, but I refuse to assign copyright[0], and I'm not going to waste
time writing code that will be thrown away.  Nevertheless, I strongly
urge you to support the OpenSSL syntax.

[0] This is a blanket policy unless we've executed a consulting contract
that says otherwise.  I think that when I make a contribution to a
project that it's only fair to be attributed as the author of my work;
my copyright notice ensures that I get credit for the work I've done.

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20110203/227ef93d/attachment.pgp>


More information about the Pkg-gnutls-maint mailing list