[gnutls-dev] 256 bit ciphers
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sun Oct 14 23:24:32 CEST 2007
On Saturday 13 October 2007, Simon Josefsson wrote:
> Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> writes:
> > Hello,
> > I think the 256 ciphers offer no more in security than their 128 bit
> > equivalents and they are in general slower. Thus I think it would be a
> > good idea to remove them from the default priority lists. Are there any
> > objections or good reason to keep them?
>
> The gnutls_set_default_export_priority function is the same both for
> clients and servers, and while it may make sense to only use 128 bits by
> default in clients, not supporting 256 bits in servers seems
> problematic. What if a client supports AES-256 and ARCFOUR-128 connects
> to a GnuTLS server with default settings? Then they would end up with
> ARCFOUR-128 which seems bad.
> There should probably had been two "default" functions, one for clients
> and one for servers, since the defaults may be different. It may be too
> late to change that.
Indeed. Yes maybe it is a good idea for the default ciphers to contain all the
strong supported ciphers.
regards,
Nikos
More information about the Gnutls-devel
mailing list