[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Tuning GnuTLS

From: Lars Magne Ingebrigtsen
Subject: Tuning GnuTLS
Date: Mon, 18 Jul 2011 05:23:16 +0200
User-agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.50 (gnu/linux)

We should strive to make TLS connections as painless as possible, and
involving as little user intervention as possible, while preserving a
reasonable level of security.

So far, two failure points have been identified:

1) Some servers sends a prime with fewer bits than the accepted default.
I think the right thing to do here is to just default
`gnutls-min-prime-bits' to a lower number than the default GnuTLS
number.  I don't know what that number should be, but I think people who
want better bits than that can adjust this number upwards.

2) Servers presenting broken, er, certificates with certain algorithms.
If negotiation with DHE-RSA has failed, then negotiation without that
algorithm should be attempted.  But is it possible to fall back to
plain-text?  I don't really know how that works.  But if that's
possible, the fall-back should obviously stop before it gets that far.

After a priority has been established, I then think that the priority
for this specific server/port pair should be saved via Customize, so
that the next connection can be done faster automatically, without the
need for all this negotiation.

(domestic pets only, the antidote for overdose, milk.)
  bloggy blog http://lars.ingebrigtsen.no/

reply via email to

[Prev in Thread] Current Thread [Next in Thread]