[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [gnutls-dev] 256 bit ciphers
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: [gnutls-dev] 256 bit ciphers |
Date: |
Mon, 15 Oct 2007 00:24:32 +0300 |
User-agent: |
KMail/1.9.6 (enterprise 0.20070907.709405) |
On Saturday 13 October 2007, Simon Josefsson wrote:
> Nikos Mavrogiannopoulos <address@hidden> writes:
> > Hello,
> > I think the 256 ciphers offer no more in security than their 128 bit
> > equivalents and they are in general slower. Thus I think it would be a
> > good idea to remove them from the default priority lists. Are there any
> > objections or good reason to keep them?
>
> The gnutls_set_default_export_priority function is the same both for
> clients and servers, and while it may make sense to only use 128 bits by
> default in clients, not supporting 256 bits in servers seems
> problematic. What if a client supports AES-256 and ARCFOUR-128 connects
> to a GnuTLS server with default settings? Then they would end up with
> ARCFOUR-128 which seems bad.
> There should probably had been two "default" functions, one for clients
> and one for servers, since the defaults may be different. It may be too
> late to change that.
Indeed. Yes maybe it is a good idea for the default ciphers to contain all the
strong supported ciphers.
regards,
Nikos