[gnutls-dev] Another openpgp question...

Nikos Mavroyanopoulos nmav at gnutls.org
Wed Nov 26 10:19:56 CET 2003


On Tue, Nov 25, 2003 at 05:43:11PM -0800, Charles 'Buck' Krasic wrote:

> Hi Nikos,
> Thanks for your replies.  They have been very helpful.
> I've been able to get GnuTLS basically working in my video streaming
> system.   At first, I got it working with AES128 + SHA1.   I noticed
> that the CPU load was quite high (not a big suprise) so I started to try
> and measure some other combinations.   This is where I ran into a lot of

If the high load is during the handshake, you should consider using
session resuming to avoid rehandshakes. If the high load is during
the record layer tranfers, then there is little you can do. ARCFOUR
is the fastest cipher supported, so using it is a good idea (I haven't
checked the speed difference between SHA1 and RIPEMD algorithms).

> trouble.   I'm not an expert in OpenPGP or gnupg, so it's not obvious to
> me what kinds of keys are required for the different ciphers supported
> in GnuTLS.   I made some progress by enabling GnuTLS's logging, but I
> still don't understand what is required to get certain ciphers to work.
> For example,  I can get the ARCFOUR_SHA cipher, but not ARCFOUR_MD5 (128
> or 40).  

> I am basically content for now that I have some encryption working, but
> it would be nice to have some clarification on issues above.   

Not all combinations of ciphers are available, even if the API implies
that. The openpgp ciphersuites do not include MD5 as an HMAC option. They
only allow SHA and RIPEMD-160. They also do not include the export
ciphers since they were obsoleted by the TLS Working group.

Also note that the DHE_RSA ciphersuites may get disabled if your
key is encrypt only. The same for plain RSA if your key is sign
only.

> -- Buck


-- 
Nikos Mavroyanopoulos




More information about the Gnutls-devel mailing list