[gnutls-devel] overall sec_param (weakest link) for a gnutls session?

[Nikos Mavrogiannopoulos]

On Sat, 2013-12-28 at 14:20 +0100, Matthias-Christian Ott wrote:

> > i don't think you can do this.  For example, SSL_CIPHER doesn't expose
> > the number of bits in the DHE key exchange handshake.  Also, the
> > underlying TLS library could itself add new features that this
> > hypothetical external library doesn't know anything about.
> You could a variables for the asymmetric key lengths and of course you
> have keep both libraries in sync (SSL_VERSION_LIBRARY will allow you to
> adapt to different versions of the TLS library).

There many more details that only the crypto library knows. The high
level applications should be able to set the security policy, but they
shouldn't be expected to find out all the details of the session by
themselves (why should an application developer know about DH and the
sizes of the prime, or the sub-group sizes?). 

regards,
Nikos