[gnutls-devel] RSA vs. DHE-RSA with default priority string
Armin Burgmeier
armin at arbur.net
Sun May 24 18:12:24 CEST 2015
Hi,
I have a server [0] which allows use of DHE-RSA but does not enforce it.
It does not support any ECC, though.
When connecting with gnutls-cli from master (and 3.3), it chooses RSA
key exchange instead of DHE-RSA. I only get DHE-RSA when I specify
--priority=PFS.
I compared this to gnutls-cli from gnutls 2.12.23: with the default
priority string, I get DHE-RSA. I could switch to RSA with
--priority=PERFORMANCE.
The behaviour of gnutls 2.12 seems more reasonable to me. How would I
make the current version of gnutls prefer DHE-RSA but still allow RSA if
the server does not support DH? I understand --priority=PFS completely
disables any non-PFS kx algorithms. I'd prefer not to hand-craft a
priority string that explicitly contains algorithm names, so that I stay
upwards-compatible.
Thanks,
Armin
[0] https://server01.komline.de
More information about the Gnutls-devel
mailing list