[mod_gnutls-devel] Does mod-gnutls supports GCM mode?
Peter Ulber
pu at uni-konstanz.de
Tue Nov 4 07:38:43 CET 2014
Hi,
> > For TLS 1.2 I wanted to use GCM instead of CBC, but it seems that
> > mod-gnutls doesn't support that. It would be nice having it :)
> > Additionally it's hard to find out what priority strings are actually
> > supported. I looked it up here:
>
> I don't know whether there are restrictions to the priority strings used
> by mod_gnutls, but if you can freely select gnutls' strings an
> equivalent to what you had is the following:
> "NORMAL:-VERS-SSL3.0:-RSA:-ARCFOUR-128:-SIGN-RSA-SHA1:-SIGN-ECDSA-SHA1:-SIGN-DSA-SHA1:%SERVER_PRECEDENCE"
That string does not work with mod_gnutls (at least with v0.5), because
there seem to be restrictions when it comes to the priority strings, but
I found no proper documentation what strings are actually allowed, e.g.
"%SERVER_PRECEDENCE" does not work.
> You can always see what a string enables using gnutls-cli -l --priority
> "xxx".
I know, but not everything which works which gnutls-cli will work with
mod_gnutls, e.g. the GCM mode for AES.
> The difference with what you have, is that it enables everything known
> to be secure, and disables the known to be insecure algorithms. For
> example your string disabled signing with SHA224, SHA384 and SHA512, as
> well as elliptic curves and there is no security reason for that.
I agree with you on SHA-2, but I am a bit sceptical when it comes to
ECC, e.g. there are some constants which may have a dubios origin ;-)
> Also beware that you shouldn't add -SIGN-RSA-SHA1 if your certificate is
> signed with SHA1. It could cause issues to clients that strictly follow
> the protocol (and is pointless as anyway SHA1 remains the weakest link).
Thx for that hint!
Regards,
Peter
--
Peter Ulber --- KIM Basisdienste an der Universität Konstanz
V404 (Tel: +49 7531 88 2622) - Mail/XMPP: pu at uni-konstanz.de
https://www.rz.uni-konstanz.de/rechenzentrum/team/peterulber
S/MIME Fingerprint: E1353193E1BD5ED2F34759168686ABAEFF1F7B9D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6192 bytes
Desc: not available
URL: </pipermail/attachments/20141104/1abe1f38/attachment.bin>
More information about the mod_gnutls-devel
mailing list