[gnutls-dev] Work in progress: GnuTLS 2.2 release notes on API changes

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Nov 22 22:05:41 CET 2007


On Thursday 22 November 2007, Sam Varshavchik wrote:

> > As it turns out using the current api with the strings, it might be more
> > convenient if the priorities are parsed initially and cached. That is
> > because on a server you don't want to print a parsing error of the
> > priority string on the first connection. That has to be done while
> > parsing the configuration file or command line. If I find some time this
> > week I'll update the repository.
>
> My recollection of OpenSSL's behavior is that it simply ignores
> unrecognized protocol names. The advantages to that approach is that
> certain ciphers and algorithms can be selectively enabled or disabled when
> building OpenSSL, for various reasons, and the applications can simply use
> a generic,

This is not that good. I might set +AES-128 but negotiate ARCFOUR because I 
had a typo and didn't specify AES-128-CBC.

> one-size-fits-all configuration settings, without having to deal with
> errors due to the base distribution's decision to disable certain ciphers.

Then they should be responsible to warn the user and remove such references.
Removing ciphers and silently letting the user believe he's using them does 
not sound good to me.

> I know that at least Fedora's build of GnuTLS does not enable all ciphers.
> At least give applications an option to ignore unknown ciphers, or flag
> them as errors.

I'm quite afraid of such a flag, but I'll think about it.

regards,
Nikos



More information about the Gnutls-dev mailing list