[gnutls-help] gnutls_dh_set_prime_bits question

Ted Zlatanov tzz at lifelogs.com
Tue Jul 9 15:13:59 CEST 2013

On Sun, 07 Jul 2013 19:36:18 +0200 Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: 

NM> On 07/02/2013 08:31 PM, Ted Zlatanov wrote:
>> I think negotiating the connection twice is unacceptable for
>> performance.  We have to find a way to do it in one attempt, even if the
>> user has to configure something about the exceptional servers.  Can we
>> always try ECDHE and only do DHE if the user tells us so?

NM>  You can always disable DHE. That way ECDHE will be negotiated with RSA
NM> as fallback.

I'm sorry to keep asking, but I can't find this explicitly in the
manual.  Maybe I'm looking in the wrong places.  From
http://gnutls.org/manual/html_node/Priority-Strings.html I am guessing

1) Including ANON-ECDH enables ECDHE
2) !DHE-RSA:!DHE-DSS disables DHE (not sure if DHE-RSA should be enabled for us)
3) NORMAL enables DHE and ECDHE

Can you confirm this?

It would be very nice if the initial keywords' description in that
documentation page actually showed what's enabled by each one,
especially "NORMAL".

I also can't tell how to set the DH minimum prime bits in a priority
string, if that's possible at all.

I can write additions to the manual to explain any of the above if you
think they are needed.


More information about the Gnutls-help mailing list