[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Weechat-dev] [task #10106] Allow configurable TLS priorities or hardcod
From: |
bazerka |
Subject: |
[Weechat-dev] [task #10106] Allow configurable TLS priorities or hardcode the use of SECURE256 priority |
Date: |
Mon, 18 Jan 2010 22:38:47 +0000 |
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729) |
URL:
<http://savannah.nongnu.org/task/?10106>
Summary: Allow configurable TLS priorities or hardcode the
use of SECURE256 priority
Project: WeeChat
Submitted by: bazerka
Submitted on: Mon 18 Jan 2010 10:38:46 PM GMT
Category: other
Should Start On: Mon 18 Jan 2010 12:00:00 AM GMT
Should be Finished on: Mon 18 Jan 2010 12:00:00 AM GMT
Priority: 5 - Normal
Status: None
Privacy: Public
Percent Complete: 0%
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Discussion Lock: Any
IRC nick: Bazerka
_______________________________________________________
Details:
At present, TLS priorities are hardcoded to specify a preference list of
protocols only.
Due to this, 128bit ciphersuites are appearing in the ciphersuite list prior
to their 256bit counterparts and hence, will always be used in preference.
I suggest either allowing the priority string to be user configurable, or
hardcoding the priority to include SECURE256 as well as the protocol, so that
the available cipersuite list is sorted from strongest to weakest (ie, 256bit
ciphersuites are listed before the 128bit variants).
For example,
gnutls-cli connecting to an ssl ircd without --priority SECURE256 shows :
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[0x801236000]: Keeping ciphersuite: PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1
[SNIP]
- Version: TLS1.1
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
Connecting to the same ircd with --priority SECURE256 shows:
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[0x801236000]: Keeping ciphersuite: PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1
[SNIP]
- Version: TLS1.1
- Key Exchange: DHE-RSA
- Cipher: AES-256-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/task/?10106>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Weechat-dev] [task #10106] Allow configurable TLS priorities or hardcode the use of SECURE256 priority,
bazerka <=