[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Tuning GnuTLS
From: |
Lars Magne Ingebrigtsen |
Subject: |
Tuning GnuTLS |
Date: |
Mon, 18 Jul 2011 05:23:16 +0200 |
User-agent: |
Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.50 (gnu/linux) |
We should strive to make TLS connections as painless as possible, and
involving as little user intervention as possible, while preserving a
reasonable level of security.
So far, two failure points have been identified:
1) Some servers sends a prime with fewer bits than the accepted default.
I think the right thing to do here is to just default
`gnutls-min-prime-bits' to a lower number than the default GnuTLS
number. I don't know what that number should be, but I think people who
want better bits than that can adjust this number upwards.
2) Servers presenting broken, er, certificates with certain algorithms.
If negotiation with DHE-RSA has failed, then negotiation without that
algorithm should be attempted. But is it possible to fall back to
plain-text? I don't really know how that works. But if that's
possible, the fall-back should obviously stop before it gets that far.
After a priority has been established, I then think that the priority
for this specific server/port pair should be saved via Customize, so
that the next connection can be done faster automatically, without the
need for all this negotiation.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog http://lars.ingebrigtsen.no/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Tuning GnuTLS,
Lars Magne Ingebrigtsen <=