help-gnutls
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnutls] Default cipher priority in `gnutls-cli'?

From: Simon Josefsson
Subject: [Help-gnutls] Default cipher priority in `gnutls-cli'?
Date: Mon, 31 May 2004 20:53:41 +0200
User-agent: Gnus/5.110003 (No Gnus v0.3) Emacs/21.3.50 (gnu/linux) 
I just installed GNUTLS support for STARTTLS in Emacs, via gnutls-cli.
When doing so, and personally moving away from the OpenSSL based
'starttls' tool to gnutls-cli, I noticed gnutls-cli default to RC4:

starttls: TLSv1 with cipher RC4-SHA (128/128 bits new) no authentication

Whereas OpenSSL's default was AES-256.

Looking at the code, the current default priority list appear to be:

RC4-128, AES-128, 3DES, AES-256, RC4-40

Is there some motivation for that priority order?

IMHO, I find a list like the following would be easier to motivate:

AES-256, AES-128, 3DES, RC4-128, RC4-40

Where the motivation would be: first use strongest standardized cipher
(AES-256/128), followed by strongest historical cipher (3DES),
followed by interop ciphers.

Thanks.

--- cli.c       21 May 2004 19:55:09 +0200      2.237
+++ cli.c       31 May 2004 20:45:32 +0200      
@@ -90,8 +90,8 @@
        GNUTLS_KX_ANON_DH, GNUTLS_KX_RSA_EXPORT, 0
 };
 int cipher_priority[PRI_MAX] =
-    { GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_AES_128_CBC,
-       GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_AES_256_CBC,
+  { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC,
+    GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128,
        GNUTLS_CIPHER_ARCFOUR_40, 0
 };
 int comp_priority[PRI_MAX] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
reply via email to
[Prev in Thread] Current Thread [Next in Thread]