[gnutls-devel] GnuTLS | Update predefined priority keywords (#1098)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Sat Oct 3 13:23:02 CEST 2020



Airtower created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1098



The `NORMAL` priority keyword enables several protocols and algorithms
that shouldn't be considered secure by current standards,
specifically:

* plain RSA key exchange
* TLS 1.0
* TLS 1.1
* DTLS 1.0
* SHA-1 signatures
* SHA-1 MAC seems at least questionable

Aside from SHA-1 signatures and in some cases SHA-1 MAC this also
applies to all the `SECURE` variants, and everything aside from plain
RSA also to `PFS`.

I suppose there may be a compatibility tradeoff regarding SHA-1 MAC,
but the rest could be removed without being any less compatible with
older servers than modern browsers. For TLS 1.2 servers that still
don't support AEAD adding SHA-256 MAC might be useful, whether SHA-1
is removed or not.

Considering that these keywords are intended for people who want
reasonably secure defaults without digging into all the details I think they
should be updated soon. I'd be happy to prepare a patch if there is
consensus on what should be included.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1098
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20201003/f8437d89/attachment-0001.html>


More information about the Gnutls-devel mailing list