Re: [gnutls-dev] Work in progress: GnuTLS 2.2 release notes on API changes

[Sam Varshavchik]

Nikos Mavrogiannopoulos writes:

> On Sunday 18 November 2007, Simon Josefsson wrote:
>
> > > What I had thought then was to make this parsing routine output the
> > > result in a gnutls_priority_st structure and then associate this
> > > struction with every session. If found that solution complex then...
> >
> > How about implementing the simple gnutls_set_priority function now, and
> > if it turns out that it is actually a performance bottle-neck for some
> > applications, we can add a gnutls_parse_priority and a new
> > gnutls_set_preparsed_priority function to handle that.  I think for 90 %
> > of the applications, the inefficiency doesn't matter.  Premature
> > optimization is the root of all evil etc...
>
> As it turns out using the current api with the strings, it might be more
> convenient if the priorities are parsed initially and cached. That is because
> on a server you don't want to print a parsing error of the priority string
> on the first connection. That has to be done while parsing the configuration
> file or command line. If I find some time this week I'll update the 
> repository.

My recollection of OpenSSL's behavior is that it simply ignores unrecognized 
protocol names. The advantages to that approach is that certain ciphers and 
algorithms can be selectively enabled or disabled when building OpenSSL, for 
various reasons, and the applications can simply use a generic, 
one-size-fits-all configuration settings, without having to deal with errors 
due to the base distribution's decision to disable certain ciphers.

I know that at least Fedora's build of GnuTLS does not enable all ciphers. 
At least give applications an option to ignore unknown ciphers, or flag them 
as errors.

pgpsZGla2FNHX.pgp
Description: PGP signature