[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Additional network security
From: |
Ted Zlatanov |
Subject: |
Re: Additional network security |
Date: |
Sat, 20 Dec 2014 06:27:25 -0500 |
User-agent: |
Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux) |
On Thu, 18 Dec 2014 22:54:24 +0100 Reiner Steib <address@hidden> wrote:
RS> Lars Magne Ingebrigtsen wrote:
>> Ted Zlatanov <address@hidden> writes:
>>
>>> How about extending the GnuTLS priority string to also specify the NSM
>>> level, DH bits, etc? So the user would say "NORMAL:NSM(medium,dh=1024)"
>>> and we'd cut out all the NSM bits before passing it on to GnuTLS. If
>>> there's nothing in the priority string, we'd look at
>>> `network-security-level', that would be the out-of-the-box use case.
>>
>> I'm not sure we need to allow this to be customised at this fine-grained
>> level. Does Firefox allow that, for instance?
RS> At least there's security.tls.version.min,
RS> security.ssl3.ecdhe_ecdsa_rc4_128_sha, and several other security.*
RS> prefs. Dunno how these relate to Ted's suggestion.
I think most of those can be specified with the GnuTLS priority string,
but it's somewhat obscure how to do it. The GnuTLS guys suggested we
link the `network-security-level' or another variable to some default
priority string combinations, following at least the pattern of
https://github.com/nmav/fedora-crypto-policies/tree/master/profiles
Thread reference:
http://thread.gmane.org/gmane.network.gnutls.general/3695/focus=3696
If anyone is interested in providing a patch, feel free. My suggestion
would be to provide some customize defaults for `gnutls-priority-string'
that are tagged helpfully and maybe even make them symbols (so the
translation to actual priority string happens under the covers).
Ted
- Re: Additional network security, (continued)
- Re: Additional network security, Lars Magne Ingebrigtsen, 2014/12/06
- Re: Additional network security, Stefan Monnier, 2014/12/06
- Re: Additional network security, Stephen J. Turnbull, 2014/12/07
- Re: Additional network security, Ted Zlatanov, 2014/12/07
- Re: Additional network security, Lars Magne Ingebrigtsen, 2014/12/07
- Re: Additional network security, Ted Zlatanov, 2014/12/07
- Re: Additional network security, Lars Magne Ingebrigtsen, 2014/12/07
- Re: Additional network security, Ted Zlatanov, 2014/12/07
- Re: Additional network security, chad, 2014/12/07
- Re: Additional network security, Reiner Steib, 2014/12/18
- Re: Additional network security,
Ted Zlatanov <=
- Re: Additional network security, Stephen J. Turnbull, 2014/12/07
- Re: Additional network security, Richard Stallman, 2014/12/07
- Re: Additional network security, Ted Zlatanov, 2014/12/08
- Re: Additional network security, Lars Magne Ingebrigtsen, 2014/12/08
- Re: Additional network security, Lars Magne Ingebrigtsen, 2014/12/08
- Re: Additional network security, Lars Magne Ingebrigtsen, 2014/12/08
- Re: Additional network security, Lars Magne Ingebrigtsen, 2014/12/08
Re: Additional network security, Jens Lechtenboerger, 2014/12/05