[Help-gnutls] Re: SMTP TLS & Thunderbird

Simon Josefsson simon at josefsson.org
Mon Mar 5 13:41:36 CET 2007


David Given <dg at cowlark.com> writes:

> Simon Josefsson wrote:
> [...]
>> Many programs refuse to work if the server doesn't have a X.509
>> certificate, so yes, I'm afraid you'll have to add that to your
>> server, or modify a lot of clients.
>
> It's all working now, thanks. Although I will admit that setting all the code
> up was not pretty --- the documentation's very hazy on what the various
> functions return if something goes wrong (such as not being able to read the
> keyfiles), and I've found that in order to make it fall back on anonymous
> authentication if the keys don't work I have to call gnutls_kx_set_priority(),
> which surprises me as the documentation swears blind that it's ignored on servers.

It is clear that both code and documentation is sub-optimal here.
Below is how I will proceed to attempt to improve things.

* Encourage more applications to just use
  gnutls_set_default_priority().

  One part of achieving that is to make all examples use it, and avoid
  any specific calls to gnutls_*_set_priority.  Such uses are not
  future-proof, and should really not be part of the examples, since
  it isn't good practice.  It is better if the library picks sane
  defaults.

* Fix gnutls_set_default_priority to have sane defaults.

  For example, right now it doesn't even include TLS 1.0!  However,
  that bug was introduced in the 1.7 series, so no major harm...

  Here are the default priorities I believe all applications should
  use.  Any comments?  I think the only questionable one may be to
  exclude GNUTLS_KX_ANON_DH since it isn't safe against mitm's, but
  neither is X.509 without verifying the certificates.  However,
  deployment suggests that we shouldn't include it, so I didn't.
  Possibly AES256 should be the default, I dunno.  I would have liked
  to remove ARCFOUR_128, but it is so widely used that it isn't
  possible.  Perhaps it should be disabled for TLS >= 1.1 connections.

  static const int protocol_priority[] = {
    GNUTLS_TLS1_2,
    GNUTLS_TLS1_1,
    GNUTLS_TLS1_0,
    GNUTLS_SSL3,
    0
  };
  static const int kx_priority[] = {
    GNUTLS_KX_DHE_PSK,
    GNUTLS_KX_PSK,
    GNUTLS_KX_SRP_RSA,
    GNUTLS_KX_SRP_DSS,
    GNUTLS_KX_SRP,
    GNUTLS_KX_DHE_RSA,
    GNUTLS_KX_DHE_DSS,
    GNUTLS_KX_RSA,
    /* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add!
     * GNUTLS_KX_RSA_EXPORT: Deprecated, don't add!
     */
    0
  };
  static const int cipher_priority[] = {
    GNUTLS_CIPHER_AES_128_CBC,
    GNUTLS_CIPHER_AES_256_CBC,
    GNUTLS_CIPHER_3DES_CBC,
    GNUTLS_CIPHER_ARCFOUR_128,
    /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */
    0
  };
  static const int comp_priority[] = {
    /* GNUTLS_COMP_LZO: Not standardized, don't add! */
    GNUTLS_COMP_DEFLATE,
    GNUTLS_COMP_NULL,
    0
  };
  static const int mac_priority[] = {
    GNUTLS_MAC_SHA1,
    GNUTLS_MAC_MD5,
    0
  };

* Verify that handshake logic removes unnecessary ciphersuites before
  sending them.  For example, there's no point in sending a SRP
  ciphersuite if there is no SRP callback set.  I believe the code is
  correct in most places here, but it needs to be verified.

* Make gnutls-cli and gnutls-serv use the new best practice.  Right
  now, it has its own set of priority lists.  It would be better to
  avoid that, and only use the library priorities.

Comments welcome!

/Simon





More information about the Gnutls-help mailing list