[gnutls-devel] priority string DHE parameter acceptance

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Tue Nov 5 21:39:08 CET 2013

On 11/05/2013 04:57 AM, Daniel Kahn Gillmor wrote:
> I'm having some difficulty following the logic behind the way the GnuTLS
> priority strings set what the minimum number of bits are required for
> the group used for DHE key exchange.
> I notice that if i set up a server using 1024-bit DHE, i get a different
> response from these two priority strings:
> Using the former priority string, connections complete, but using the
> latter priority string makes gnutls-cli refuse the connection at
> 1024-bit DHE.  If the DHE group is larger (2048 bits), both strings
> allow connections to complete.
> My understanding of the priority string mechanism suggests that the two
> strings should have the same behavior.  What am i missing?

Nothing, that doesn't make sense. It's a bug. I've figure it out, but it
seems a test case is needed there to avoid such issues.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131105/ebf186f9/attachment-0001.sig>

More information about the Gnutls-devel mailing list