[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Additional network security

From: Ted Zlatanov
Subject: Re: Additional network security
Date: Sat, 20 Dec 2014 06:27:25 -0500
User-agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux)

On Thu, 18 Dec 2014 22:54:24 +0100 Reiner Steib <address@hidden> wrote: 

RS> Lars Magne Ingebrigtsen wrote:
>> Ted Zlatanov <address@hidden> writes:
>>> How about extending the GnuTLS priority string to also specify the NSM
>>> level, DH bits, etc? So the user would say "NORMAL:NSM(medium,dh=1024)"
>>> and we'd cut out all the NSM bits before passing it on to GnuTLS. If
>>> there's nothing in the priority string, we'd look at
>>> `network-security-level', that would be the out-of-the-box use case.
>> I'm not sure we need to allow this to be customised at this fine-grained
>> level.  Does Firefox allow that, for instance?

RS> At least there's security.tls.version.min,
RS> security.ssl3.ecdhe_ecdsa_rc4_128_sha, and several other security.*
RS> prefs.  Dunno how these relate to Ted's suggestion.

I think most of those can be specified with the GnuTLS priority string,
but it's somewhat obscure how to do it. The GnuTLS guys suggested we
link the `network-security-level' or another variable to some default
priority string combinations, following at least the pattern of

Thread reference:

If anyone is interested in providing a patch, feel free.  My suggestion
would be to provide some customize defaults for `gnutls-priority-string'
that are tagged helpfully and maybe even make them symbols (so the
translation to actual priority string happens under the covers).


reply via email to

[Prev in Thread] Current Thread [Next in Thread]