[gnutls-devel] [RFC] Relaxing cipher suite (priority) string requirements
nmav at gnutls.org
Fri Jan 25 21:37:06 CET 2013
On 01/24/2013 02:40 AM, Jouko Orava wrote:
> GnuTLS is very, very picky about the cipher suite strings it accepts.
> I wrote a test patch (attached), UNTESTED, that should relax the
> requirements. The main points are:
I think the idea of simplifying the rules is a nice one. Some comments
on the specific changes.
> - Make '+' prefix optional
> - Allow full cipher names, adding/removing cipher, mac, and kx
> (I suspect it would be better to add all three, but
> when removing, only remove the cipher.
> Currently the patch adds/removes all three.)
This is tricky. Although I don't think we are going to have a cipher
called SHA1, I was afraid of collisions and that's why we have this
awkward format. E.g. what does the +NULL mean? the NULL cipher? or
compression? How could you handle that?
> The patch also includes a change into lib/gnutls_priority.c:prio_remove(),
> that instead of replacing the removed item with the final item in the
> array, uses memmove() to shorten the array. For some reason I seem
> to believe the order in these priority lists matter.
Indeed, even if it comes at the cost of memmove :(
More information about the Gnutls-devel