[gnutls-devel] GnuTLS | Provide a configuration file (#587)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Mon Oct 8 10:07:02 CEST 2018

New Issue was created.

Issue 587: https://gitlab.com/gnutls/gnutls/issues/587
Author:    Nikos Mavrogiannopoulos

The approach of gnutls is to deprecate deprecate algorithms like SHA1 in the library, and change TLS settings on various versions which improve the security. However there are cases which these items are handled on the operating system level (e.g., fedora crypto-policies), and as such it would be beneficial to allow such settings to switch system-wide.

Currently we only provide a way to create application-specific or system-specific priority strings and modify the default priority string set with `gnutls_set_default_priority`; this only affects a subset of applications that use gnutls (i.e., not the ones that specifically set a priority string).

We should enhance the currently provided configuration file (system priority file), to be able to configure:
 * Set/Unset deprecated hashes for signature algorithms
 * Set global TLS options which no application could override; this should include
  - disallowed TLS versions
  - disallowed signature algorithms
  - disallowed ciphers
  - disallowed macs

c.f., [inih](https://github.com/benhoyt/inih)

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/587
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20181008/886f451d/attachment.html>

More information about the Gnutls-devel mailing list