[gnutls-devel] forcing 256bit symetric?

James Cloos cloos at jhcloos.com
Thu Apr 16 19:18:46 CEST 2015


>>>>> "NM" == Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

JC>> What is the shortest priority to demand aes256, prefering aead, but
JC>> accept the certs in actual use in the wild?

NM> NORMAL:-CIPHER-ALL:+AES-128-GCM:+...

That gave me the hint I needed.  I ended up with:

  NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+CHACHA20-POLY1305:+AES-256-GCM

I'll add +AES-256-CCM once I know it is happy on my box.

>> SECURE256 fails because it demands sha512 and essentially no one uses
>> that to sign certs.

NM> Correct. We may need different keywords to indicate secrecy level of
NM> 256-bits, while keeping the handshake security level to the current
NM> defaults.

Sounds like a plan.

-JimC
-- 
James Cloos <cloos at jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6



More information about the Gnutls-devel mailing list