gnutls 2.10 won't negotiate TLS 1.2 if priority is set to "SECURE256"
Nikos Mavrogiannopoulos
nmav at gnutls.org
Thu May 26 19:13:27 CEST 2011
On 05/26/2011 05:56 PM, Sam Varshavchik wrote:
> I rebuilt a client/server against gnutls 2.10, from 2.8 before. I
> give "SECURE256:-CTYPE-OPENPGP" to gnutls_priority_set_direct() on
> both the client and the server side. After updating to 2.10, TLS
> negotiation fails a GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM.
Thanks for reporting that. Confirmed. SECURE256 requires SHA-512 but
gnutls will not use SHA-512 for its handshake process (only SHA-1 and
SHA-256).
To work-around that don't use SECURE256. The weakest link in
TLS handshake provides security of 96-bits. So by
using SECURE256 you are not increasing the security, you
are just using bigger keys.
regards,
Nikos
More information about the Gnutls-help
mailing list