[gnutls-dev] Work in progress: GnuTLS 2.2 release notes on API changes

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Nov 18 14:42:06 CET 2007


On Sunday 18 November 2007, Simon Josefsson wrote:
> Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:
> > On Thursday 15 November 2007, Simon Josefsson wrote:
> >> I think it would be better if we had a function like:
> >>
> >>   int gnutls_set_priority (gnutls_session_t session,
> >>                            const char *priority);
> >
> > I just remembered that there was a reason this priority function was kept
> > simple from the begging (integers only). This function is called per
> > session, thus having a parsing routing like this would add some
> > overhead... This could be insignificant compared to RSA/DH etc, but still
> > in a busy server it might become significant.
>
> Ah, I understand.
>
> > What I had thought then was to make this parsing routine output the
> > result in a gnutls_priority_st structure and then associate this
> > struction with every session. If found that solution complex then...
>
> How about implementing the simple gnutls_set_priority function now, and
> if it turns out that it is actually a performance bottle-neck for some
> applications, we can add a gnutls_parse_priority and a new
> gnutls_set_preparsed_priority function to handle that.  I think for 90 %
> of the applications, the inefficiency doesn't matter.  Premature
> optimization is the root of all evil etc...
Ok.

What about a parser that works like:

int
gnutls_set_default_priority2 (gnutls_session_t session, const char *priority, 
  char* syntax_error, size_t syntax_error_size)

  * Predefined sets of ciphersuites:
  * "PERFORMANCE" all the "secure" ciphersuites are enabled, 
  * limited to 128 bit ciphers and sorted by terms of speed performance.
  *
  * "NORMAL" option enables all "secure" ciphersuites 
  * limited to 128 bit ciphers and sorted by security margin.
  *
  * "HIGH" flag enables all "secure" ciphersuites 
  * including 256 bit ciphers and sorted by security margin.
  *
  * "EXPORT" all the ciphersuites are enabled, including
  * the low-security 40 bit ciphers.
  *
  * Special keywords:
  * '-' appended with an algorithm will remove this algorithm.
  * '%COMPAT' will enable compatibility features for a server.
  *

So one could specify something like:
"NORMAL:-AES-128-CBC", "PERFORMANCE:-ARCFOUR-128:-MD5:%COMPAT"

if we allow '+' it could also be "+AES-128-CBC:+ARCFOUR-128:+RSA:+SHA1:+MD5" 
(no predefined set is specified so it starts with an empty one).

About compression and versions as well as certificate types I was thinking 
something along:

"NORMAL:-VERS-TLS1.0:+VERS-TLS1.1:-AES-128-CBC:-COMP-DEFLATE:+CTYPE-OPENPGP"

If '-' conflicts with our internal separator visually we could also use '!' 
instead.


regards,
Nikos





More information about the Gnutls-dev mailing list