[gnutls-devel] [RFC] Relaxing cipher suite (priority) string requirements
Nikos Mavrogiannopoulos
nmav at gnutls.org
Tue Jan 29 09:29:50 CET 2013
On 01/28/2013 07:54 AM, Jouko Orava wrote:
>> It could be two different modes. One that you specify explicitly
>> ciphersuites, and the other that is like now (level+ciphers,macs etc.).
>>
>> Does this make sense?
>
> Absolutely, and that's also the reason I haven't yet tested the patches I
> proposed earlier (making '+' optional, for example).
>
> Here's the logic rules I've been considering.
> I'm not entirely happy with it, and I think it needs further work.
> It is quite possibly too complicated (for users).
> (I do believe the implementation would be straightforward, though.)
>
> "!" <ciphersuite>
> "!" <protocol>
> "!" <certificate>
> "!" <compression>
> "!" <signature>
> "!" <cipher>
> "!" <mac>
> "!" <key exchange>
> Completely disallow (ban).
> Applies as if these were listed last in the string.
>
> "!" <level>
> Ban all cipher suites in <level>
> from the current priority set.
> (Other features of <level> are ignored.)
What is the purpose of being able to remove ciphersuites from a level?
> Instead of "-ALL" suffixes, catch-alls could use an asterisk "*".
> For example, any TLSv1 protocol could be "TLSv1.*".
That is more intuitive and could be added to the old format as well, in
a backwards compatible way.
> "NONE" should include "no compression". Compression can be required
> by explicitly banning or removing "no compression".
Why is that? None should be really none, so that you can specify exactly
what you need. That's how it is used now.
> To distinguish between the existing parsing, this format would
> require a start marker, for example "@" or "New".
I'd propose the new string to be simpler:
> x <ciphersuite>
> x <protocol>
> x <certificate>
> x <compression>
> x <signature>
> % <cmd>
x = + | " "
That is you'll choose the new format to specify ciphersuites, and use
the old format if you want to specify individual algorithms/levels.
I wouldn't like to have more than a way to do the same thing.
regards,
Nikos
More information about the Gnutls-devel
mailing list