[Help-gnutls] Excluding specific cipher suites from being offered during the TLS handshake

Scott Schaeffner sschaeffner at hotmail.com
Wed Nov 26 10:19:25 CET 2008

Our diameter server solution consists of a C++ diameter server and its stand-in counterpart implemented in Java, meaning that in case the C++ diameter server has an operational problem, the backup written in Java takes over as long as necessary. 
The C++ server utilizes GNU TLS functionality (currently version 2.2.5 using the openssl compatibility layer) for providing security for TCP communication and the one written in Java (version 1.5) uses the TLS functionality in JSSE. The sets of ciphersuites supported by these two libraries differ from each other. 
Since both diameter servers should provide (almost) identical diameter interface to a client, it should be possible to enable the same ciphersuites for both of the implementations. So should both offer the same set of ciphersuites to a Diameter client. 
Our problem in case of GNU TLS is that we are  not able to exclude a specific ciphersuite (as in case of JSSE) before the TLS handshake, but only a set of ciphersuites corresponding to a cipher algorithm (or a key exchange algorithm or a MAC algorithm) by modifying the arrays cipher_priority, kx_priority and mac_priority accordingly, i.e. it does not seem to us possible for example to exclude the ciphersuite TLS_DHE_DSS_ARCFOUR_SHA1 but not TLS_RSA_ARCFOUR_SHA1. Does the current GNU TLS library (v. 2.2.5) provide a solution (that we have overlooked) ?
Thanks a lot,
Liisa & Scott
News, entertainment and everything you care about at Live.com. Get it now!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20081126/a7442c1c/attachment.htm>

More information about the Gnutls-help mailing list