[Help-gnutls] Default cipher priority in `gnutls-cli'?

Nikos Mavroyanopoulos nmav at gnutls.org
Mon May 31 22:13:32 CEST 2004

On Monday 31 May 2004 21:53, Simon Josefsson wrote:

> I just installed GNUTLS support for STARTTLS in Emacs, via gnutls-cli.
> When doing so, and personally moving away from the OpenSSL based
> 'starttls' tool to gnutls-cli, I noticed gnutls-cli default to RC4:
> starttls: TLSv1 with cipher RC4-SHA (128/128 bits new) no authentication
> Whereas OpenSSL's default was AES-256.
> Looking at the code, the current default priority list appear to be:
> RC4-128, AES-128, 3DES, AES-256, RC4-40
> Is there some motivation for that priority order?
> IMHO, I find a list like the following would be easier to motivate:
> AES-256, AES-128, 3DES, RC4-128, RC4-40
> Where the motivation would be: first use strongest standardized cipher
> (AES-256/128), followed by strongest historical cipher (3DES),
> followed by interop ciphers.
As far as I remember speed was the motivation, but you are right, the cipher
strength should be the sorting key. I'll update the client soon.

> Thanks.

Nikos Mavroyanopoulos

More information about the Gnutls-help mailing list