[prev in list] [next in list] [prev in thread] [next in thread]
List: gnutls-dev
Subject: Re: [gnutls-devel] RSA vs. DHE-RSA with default priority string
From: Armin Burgmeier <armin () arbur ! net>
Date: 2015-05-24 16:47:41
Message-ID: 1432486061.2026.17.camel () arbur ! net
[Download RAW message or body]
On Sun, 2015-05-24 at 18:34 +0200, Nikos Mavrogiannopoulos wrote:
> On Sun, 2015-05-24 at 12:12 -0400, Armin Burgmeier wrote:
> > Hi,
> >
> > I have a server [0] which allows use of DHE-RSA but does not enforce it.
> > It does not support any ECC, though.
> >
> > When connecting with gnutls-cli from master (and 3.3), it chooses RSA
> > key exchange instead of DHE-RSA. I only get DHE-RSA when I specify
> > --priority=PFS.
>
> The priorities were adjusted for DHE to be in the end of the list
> sometime during the 3.x branch because of the compatibility issues these
> ciphersuites have. That is if as a client you connect to a server which
> presents inadequate length of prime the handshake would fail (as seen in
> http://www.gnutls.org/faq.html#prime-not-acceptable ).
>
> There is no way to avoid that, thus the solution was to move DHE in the
> end of the list by the time we had reliable ECDHE support. Said that, if
> you want to prioritize DHE over RSA you can do:
> "PFS:+RSA", or "NORMAL:-RSA:+RSA"
Thanks for the explanation and the suggestions! I'll go with that.
Armin
_______________________________________________
Gnutls-devel mailing list
Gnutls-devel@lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic