[Help-gnutls] Re: Default cipher priority in `gnutls-cli'?

Simon Josefsson jas at extundo.com
Tue Jun 1 08:38:47 CEST 2004

Nikos Mavroyanopoulos <nmav at gnutls.org> writes:

> On Monday 31 May 2004 21:53, Simon Josefsson wrote:
>> I just installed GNUTLS support for STARTTLS in Emacs, via gnutls-cli.
>> When doing so, and personally moving away from the OpenSSL based
>> 'starttls' tool to gnutls-cli, I noticed gnutls-cli default to RC4:
>> starttls: TLSv1 with cipher RC4-SHA (128/128 bits new) no authentication
>> Whereas OpenSSL's default was AES-256.
>> Looking at the code, the current default priority list appear to be:
>> RC4-128, AES-128, 3DES, AES-256, RC4-40
>> Is there some motivation for that priority order?
>> IMHO, I find a list like the following would be easier to motivate:
>> AES-256, AES-128, 3DES, RC4-128, RC4-40
>> Where the motivation would be: first use strongest standardized cipher
>> (AES-256/128), followed by strongest historical cipher (3DES),
>> followed by interop ciphers.
> As far as I remember speed was the motivation,

Ah, then the list makes more sense to me.

> but you are right, the cipher strength should be the sorting
> key. I'll update the client soon.


More information about the Gnutls-help mailing list