[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gnutls 2.10 won't negotiate TLS 1.2 if priority is set to "SECURE256
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: gnutls 2.10 won't negotiate TLS 1.2 if priority is set to "SECURE256" |
Date: |
Thu, 26 May 2011 19:13:27 +0200 |
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10 |
On 05/26/2011 05:56 PM, Sam Varshavchik wrote:
> I rebuilt a client/server against gnutls 2.10, from 2.8 before. I
> give "SECURE256:-CTYPE-OPENPGP" to gnutls_priority_set_direct() on
> both the client and the server side. After updating to 2.10, TLS
> negotiation fails a GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM.
Thanks for reporting that. Confirmed. SECURE256 requires SHA-512 but
gnutls will not use SHA-512 for its handshake process (only SHA-1 and
SHA-256).
To work-around that don't use SECURE256. The weakest link in
TLS handshake provides security of 96-bits. So by
using SECURE256 you are not increasing the security, you
are just using bigger keys.
regards,
Nikos