[gnutls-devel] GnuTLS | Update predefined priority keywords (#1098)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Sat Oct 3 13:23:02 CEST 2020
Airtower created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1098
The `NORMAL` priority keyword enables several protocols and algorithms
that shouldn't be considered secure by current standards,
* plain RSA key exchange
* TLS 1.0
* TLS 1.1
* DTLS 1.0
* SHA-1 signatures
* SHA-1 MAC seems at least questionable
Aside from SHA-1 signatures and in some cases SHA-1 MAC this also
applies to all the `SECURE` variants, and everything aside from plain
RSA also to `PFS`.
I suppose there may be a compatibility tradeoff regarding SHA-1 MAC,
but the rest could be removed without being any less compatible with
older servers than modern browsers. For TLS 1.2 servers that still
don't support AEAD adding SHA-256 MAC might be useful, whether SHA-1
is removed or not.
Considering that these keywords are intended for people who want
reasonably secure defaults without digging into all the details I think they
should be updated soon. I'd be happy to prepare a patch if there is
consensus on what should be included.
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1098
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel