[gnutls-devel] priority string DHE parameter acceptance
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Tue Nov 5 21:39:08 CET 2013
On 11/05/2013 04:57 AM, Daniel Kahn Gillmor wrote:
> I'm having some difficulty following the logic behind the way the GnuTLS
> priority strings set what the minimum number of bits are required for
> the group used for DHE key exchange.
>
> I notice that if i set up a server using 1024-bit DHE, i get a different
> response from these two priority strings:
>
> SECURE256:+VERS-TLS-ALL:+DHE-RSA:+MAC-ALL:+COMP-NULL
>
> NONE:+SECURE256:+VERS-TLS-ALL:+DHE-RSA:+MAC-ALL:+COMP-NULL
>
> Using the former priority string, connections complete, but using the
> latter priority string makes gnutls-cli refuse the connection at
> 1024-bit DHE. If the DHE group is larger (2048 bits), both strings
> allow connections to complete.
>
> My understanding of the priority string mechanism suggests that the two
> strings should have the same behavior. What am i missing?
Nothing, that doesn't make sense. It's a bug. I've figure it out, but it
seems a test case is needed there to avoid such issues.
regards,
Nikos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131105/ebf186f9/attachment-0001.sig>
More information about the Gnutls-devel
mailing list