[gnutls-devel] GnuTLS | Enhance the configuration file capabilities (!1013)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Fri Jun 14 06:56:44 CEST 2019
Nikos Mavrogiannopoulos commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1013#note_181273166
> if (p != NULL)
> system_priority_file = p;
>
> + p = secure_getenv("GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID");
Indeed that can be confusing. The advantage I saw when writing this, was using a configuration for a different version which may have newer algorithms can still be safe. For example when someone downgrades gnutls while the policy is untouched, the older version still works, even if the new version had a curve that the last did not support. Also you could ship the same config to multiple hosts irrespective of the gnutls version. The simplicity of just failing though, will make it much easier identify errors in configuration files. What do you think?
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1013#note_181273166
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190614/a5f654e8/attachment-0001.html>
More information about the Gnutls-devel
mailing list