[gnutls-devel] [RFC] Relaxing cipher suite (priority) string requirements

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Jan 25 21:37:06 CET 2013

On 01/24/2013 02:40 AM, Jouko Orava wrote:

> Hi!
> GnuTLS is very, very picky about the cipher suite strings it accepts.
> I wrote a test patch (attached), UNTESTED, that should relax the
> requirements. The main points are:

Hello Jouko,

 I think the idea of simplifying the rules is a nice one. Some comments
on the specific changes.

>   - Make '+' prefix optional


>   - Allow full cipher names, adding/removing cipher, mac, and kx
>     (I suspect it would be better to add all three, but
>      when removing, only remove the cipher.
>      Currently the patch adds/removes all three.)

This is tricky. Although I don't think we are going to have a cipher
called SHA1, I was afraid of collisions and that's why we have this
awkward format. E.g. what does the +NULL mean? the NULL cipher? or
compression? How could you handle that?

> The patch also includes a change into lib/gnutls_priority.c:prio_remove(),
> that instead of replacing the removed item with the final item in the
> array, uses memmove() to shorten the array. For some reason I seem
> to believe the order in these priority lists matter.

Indeed, even if it comes at the cost of memmove :(


More information about the Gnutls-devel mailing list