[gnutls-devel] overall sec_param (weakest link) for a gnutls session?

Matthias-Christian Ott ott at mirix.org
Sat Dec 28 14:20:09 CET 2013

On 12/04/13 15:40, Daniel Kahn Gillmor wrote:
> On 12/03/2013 06:11 PM, Matthias-Christian Ott wrote:
>> In mod_gnutls, mod_ssl and nginx, you could implement this as a library
>> that reads environment variables of the request (e.g. SSL_CIPHER in
>> mod_gnutls and mod_ssl) and computes the security from this – no patches
>> for TLS libraries required. For other types of software this could be
>> implemented as a separate library as well.
> i don't think you can do this.  For example, SSL_CIPHER doesn't expose
> the number of bits in the DHE key exchange handshake.  Also, the
> underlying TLS library could itself add new features that this
> hypothetical external library doesn't know anything about.

You could a variables for the asymmetric key lengths and of course you
have keep both libraries in sync (SSL_VERSION_LIBRARY will allow you to
adapt to different versions of the TLS library).


More information about the Gnutls-devel mailing list