[gnutls-devel] gnutls-cli and invoke-gnutls-cli.texi disagree
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sat Sep 7 17:13:08 CEST 2013
On 09/06/2013 12:52 PM, Tim Ruehsen wrote:
> Hi,
>
> regarding GnuTLS 3.2.4:
>
> The docs (invoke-gnutls-cli.texi) say
> Cipher suites for SECURE192
> TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.2
> TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2e TLS1.2
> TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
> TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2
> TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2
> TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2
>
> while the invokation of 'gnutls-cli --priority SECURE192 -l'
> says:
> Cipher suites for SECURE192
> TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.2
> TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2c TLS1.2
> TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
> TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2
> TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2
> TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2
>
> Shouldn't the DHE key exchange be preferred to RSA, like the docs say ?
It seems there is a discrepancy there. They are automatically generated
so they need to be regenerated.
> If I understood it correctly, DHE is more secure in means of 'Perfect Forward
> Security'.
> Could someone bring some light in here ?
You are correct. However, in the latest versions I am pushing for a
combination of security _and_ compatibility (which isn't an easy task).
The DHE ciphersuites are unfortunately quite bad in respect to
compatibility as any insecure parameters can only be rejected by
terminating the connection. Since there are several servers in the
Internet that send insecure parameters (e.g. of 512 bits), negotiating
RSA over DHE is a good compromise (given that we support ECDHE which has
priority over RSA).
Thus we go for perfect forward secrecy with the well-behaved ECDHE, and
fallback to RSA otherwise.
regards,
Nikos
More information about the Gnutls-devel
mailing list