kx srp vs dhe
Nikos Mavrogiannopoulos
nmav at gnutls.org
Fri Dec 18 10:58:11 CET 2009
Adda Rathbone wrote:
> Hello,
> I am writing a server using gnutls. The main idea was that a user
> connects with a password. For that reason I want to use the SRP
> authentication and as fallback the normal x509 authentication.
>
> However if I use the gnutls_certificate_set_dh_params()
> function in my server program, my srp client won't use the SRP kx
> anymore (now it uses DHE-RSA).
> Is there a reason for this behaviour?
>
> I thought SRP would behave like PSK (PSK is not affected).
> Does this mean SRP kx is not as secure as DHE kx?
> PS:
> client prio. settings: "SECURE256:+SRP"
> server prio. settings: "SECURE256:+SRP:+SRP-DSS:+SRP-RSA"
This only has to do with priorities. By using
gnutls_certificate_set_dh_params() you effectively enable the DHE
ciphersuites that happen to take precedence to the SRP ones (that is
what your priority string shows).
regards,
Nikos
More information about the Gnutls-help
mailing list