Re: Additional network security

[Ted Zlatanov]

On Thu, 18 Dec 2014 22:54:24 +0100 Reiner Steib <address@hidden> wrote: 

RS> Lars Magne Ingebrigtsen wrote:
>> Ted Zlatanov <address@hidden> writes:
>> 
>>> How about extending the GnuTLS priority string to also specify the NSM
>>> level, DH bits, etc? So the user would say "NORMAL:NSM(medium,dh=1024)"
>>> and we'd cut out all the NSM bits before passing it on to GnuTLS. If
>>> there's nothing in the priority string, we'd look at
>>> `network-security-level', that would be the out-of-the-box use case.
>> 
>> I'm not sure we need to allow this to be customised at this fine-grained
>> level.  Does Firefox allow that, for instance?

RS> At least there's security.tls.version.min,
RS> security.ssl3.ecdhe_ecdsa_rc4_128_sha, and several other security.*
RS> prefs.  Dunno how these relate to Ted's suggestion.

I think most of those can be specified with the GnuTLS priority string,
but it's somewhat obscure how to do it. The GnuTLS guys suggested we
link the `network-security-level' or another variable to some default
priority string combinations, following at least the pattern of
https://github.com/nmav/fedora-crypto-policies/tree/master/profiles

Thread reference:
http://thread.gmane.org/gmane.network.gnutls.general/3695/focus=3696

If anyone is interested in providing a patch, feel free.  My suggestion
would be to provide some customize defaults for `gnutls-priority-string'
that are tagged helpfully and maybe even make them symbols (so the
translation to actual priority string happens under the covers).

Ted