[gnutls-dev] Work in progress: GnuTLS 2.2 release notes on API changes
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sun Nov 18 14:42:06 CET 2007
On Sunday 18 November 2007, Simon Josefsson wrote:
> Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:
> > On Thursday 15 November 2007, Simon Josefsson wrote:
> >> I think it would be better if we had a function like:
> >>
> >> int gnutls_set_priority (gnutls_session_t session,
> >> const char *priority);
> >
> > I just remembered that there was a reason this priority function was kept
> > simple from the begging (integers only). This function is called per
> > session, thus having a parsing routing like this would add some
> > overhead... This could be insignificant compared to RSA/DH etc, but still
> > in a busy server it might become significant.
>
> Ah, I understand.
>
> > What I had thought then was to make this parsing routine output the
> > result in a gnutls_priority_st structure and then associate this
> > struction with every session. If found that solution complex then...
>
> How about implementing the simple gnutls_set_priority function now, and
> if it turns out that it is actually a performance bottle-neck for some
> applications, we can add a gnutls_parse_priority and a new
> gnutls_set_preparsed_priority function to handle that. I think for 90 %
> of the applications, the inefficiency doesn't matter. Premature
> optimization is the root of all evil etc...
Ok.
What about a parser that works like:
int
gnutls_set_default_priority2 (gnutls_session_t session, const char *priority,
char* syntax_error, size_t syntax_error_size)
* Predefined sets of ciphersuites:
* "PERFORMANCE" all the "secure" ciphersuites are enabled,
* limited to 128 bit ciphers and sorted by terms of speed performance.
*
* "NORMAL" option enables all "secure" ciphersuites
* limited to 128 bit ciphers and sorted by security margin.
*
* "HIGH" flag enables all "secure" ciphersuites
* including 256 bit ciphers and sorted by security margin.
*
* "EXPORT" all the ciphersuites are enabled, including
* the low-security 40 bit ciphers.
*
* Special keywords:
* '-' appended with an algorithm will remove this algorithm.
* '%COMPAT' will enable compatibility features for a server.
*
So one could specify something like:
"NORMAL:-AES-128-CBC", "PERFORMANCE:-ARCFOUR-128:-MD5:%COMPAT"
if we allow '+' it could also be "+AES-128-CBC:+ARCFOUR-128:+RSA:+SHA1:+MD5"
(no predefined set is specified so it starts with an empty one).
About compression and versions as well as certificate types I was thinking
something along:
"NORMAL:-VERS-TLS1.0:+VERS-TLS1.1:-AES-128-CBC:-COMP-DEFLATE:+CTYPE-OPENPGP"
If '-' conflicts with our internal separator visually we could also use '!'
instead.
regards,
Nikos
More information about the Gnutls-devel
mailing list