Bug#665766: libgnutls26: should prefer TLS 1.2/ECC cipher suites

brian m. carlson sandals at crustytoothpaste.net
Sun Mar 25 20:15:48 UTC 2012 

Package: libgnutls26
Version: 2.12.18-1
Severity: wishlist
File: /usr/lib/x86_64-linux-gnu/libgnutls.so.26

Now that OpenSSL 1.0.1 is in sid, mutt can now talk to my dovecot IMAP
server using TLS 1.2 [0].  However, I was disappointed to discover that
mutt (which does not have knobs for cipher suites) still uses
DHE-RSA/AES-128-CBC/SHA1.

Since my processor supports the Intel AESNI instructions, using GCM is
very significantly faster than using HMAC (approximately 225% faster)
using my own implementation, and runs at almost exactly the same speed
as CBC with HMAC-SHA1 (and 47% faster than CBC with HMAC-SHA256) using
libgnutls26's unaccelerated implementation.

Also, using ECC suites like ECDHE is faster and much more secure than
using plain DH.  This also means that #476441 should be viewed in a new
light; specifically, using ECC cipher suites means that the public-key
operations can be of equivalent length to the symmetric-key operations.

Finally, if HMAC is going to be used, a stronger hash algorithm than
SHA-1 should be chosen.  SHA-1 has demonstrable weaknesses that have not
been determined to be present in SHA-256, SHA-384, or SHA-512.

Currently, GnuTLS by default offers no GCM suites, offers no ECC suites
(or ECC curve extensions), prefers the SHA-1 algorithms over the SHA-256
algorithms, and even specifies a cipher suite using MD5
(TLS_RSA_WITH_RC4_128_MD5)!

I'd like to request that at least when negotiating TLS 1.2, that GCM be
preferred over CBC, that ECC suites be preferred over non-ECC ones, and
that if HMAC is used SHA-256 be preferred over SHA-1.  I would like to
point out that except for the latter decision (which is slightly
slower), all of these have the effect of improving *both* performance
and security.

[0] My dovecot server is using
AESGCM:ECDH:ALL:-MD5:-RC4:!LOW:!SSLv2:!EXP:!aNULL as the cipher suite
specification.

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.3.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libgnutls26 depends on:
ii  libc6              2.13-27
ii  libgcrypt11        1.5.0-3
ii  libp11-kit0        0.12-2
ii  libtasn1-3         2.12-1
ii  multiarch-support  2.13-27
ii  zlib1g             1:1.2.6.dfsg-2

libgnutls26 recommends no packages.

libgnutls26 suggests no packages.

-- no debconf information

-- debsums errors found:
debsums: package libgnutls26 is not installed

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20120325/cc251d20/attachment.pgp>

More information about the Pkg-gnutls-maint mailing list