[gnutls-dev] 256 bit ciphers

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Oct 14 23:24:32 CEST 2007


On Saturday 13 October 2007, Simon Josefsson wrote:
> Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> writes:
> > Hello,
> >  I think the 256 ciphers offer no more in security than their 128 bit
> > equivalents and they are in general slower. Thus I think it would be a
> > good idea to remove them from the default priority lists. Are there any
> > objections or good reason to keep them?
>
> The gnutls_set_default_export_priority function is the same both for
> clients and servers, and while it may make sense to only use 128 bits by
> default in clients, not supporting 256 bits in servers seems
> problematic.  What if a client supports AES-256 and ARCFOUR-128 connects
> to a GnuTLS server with default settings?  Then they would end up with
> ARCFOUR-128 which seems bad.
> There should probably had been two "default" functions, one for clients
> and one for servers, since the defaults may be different.  It may be too
> late to change that.

Indeed. Yes maybe it is a good idea for the default ciphers to contain all the 
strong supported ciphers.

regards,
Nikos




More information about the Gnutls-devel mailing list