[Help-gnutls] Default cipher priority in `gnutls-cli'?

[Simon Josefsson]

I just installed GNUTLS support for STARTTLS in Emacs, via gnutls-cli.
When doing so, and personally moving away from the OpenSSL based
'starttls' tool to gnutls-cli, I noticed gnutls-cli default to RC4:

starttls: TLSv1 with cipher RC4-SHA (128/128 bits new) no authentication

Whereas OpenSSL's default was AES-256.

Looking at the code, the current default priority list appear to be:

RC4-128, AES-128, 3DES, AES-256, RC4-40

Is there some motivation for that priority order?

IMHO, I find a list like the following would be easier to motivate:

AES-256, AES-128, 3DES, RC4-128, RC4-40

Where the motivation would be: first use strongest standardized cipher
(AES-256/128), followed by strongest historical cipher (3DES),
followed by interop ciphers.

Thanks.

--- cli.c	21 May 2004 19:55:09 +0200	2.237
+++ cli.c	31 May 2004 20:45:32 +0200	
@@ -90,8 +90,8 @@
 	GNUTLS_KX_ANON_DH, GNUTLS_KX_RSA_EXPORT, 0
 };
 int cipher_priority[PRI_MAX] =
-    { GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_AES_128_CBC,
-	GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_AES_256_CBC,
+  { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC,
+    GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128,
 	GNUTLS_CIPHER_ARCFOUR_40, 0
 };
 int comp_priority[PRI_MAX] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };