[gnutls-help] User-level visibility of GnuTLS security and tuning

Ted Zlatanov tzz at lifelogs.com
Thu Dec 11 16:31:44 CET 2014

On Tue, 9 Dec 2014 17:25:28 +0100 Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: 

NM> (btw. there is no SSL 1.0)

Yup, sorry.  So we should definitely not allow it ;)

NM> I think a good approach is to define few understandable policies.
NM> Fedora for example provides LEGACY, DEFAULT and FUTURE. The idea is
NM> that legacy would work with any server providing something better than
NM> plaintext, default a reasonable security level for today's metrics,
NM> and future is a security level with the state of the art encryption
NM> requirements of today.
NM> You may get inspired by the gnutls settings for them:
NM> https://github.com/nmav/fedora-crypto-policies/tree/master/profiles

OK, that's very helpful. So that's an application-level setting that
manages the GnuTLS settings and messaging. That's what Lars has done
with the Emacs `network-security-level' variable, so users just have to
set one thing.  We'll stick with that.


More information about the Gnutls-help mailing list