On Sun, May 18, 2008 at 12:48:44PM +0300, Nikos Mavrogiannopoulos wrote: > The problem with direct ciphersuite setting, is that administrators > don't know what each ciphersuite does, offers or costs. Maybe they don't > even care. That's why I think that the new priority API should be used > for applications that want to provide configurable security levels such > as "PERFORMANCE", "NORMAL", "SECURE128", "SECURE256" and even set > individual ciphers if needed.
I am a system administrator and programmer and I do know what each ciphersuite does, offers, and costs. I've implemented cryptographic algorithms, including the second-fastest non-assembly implementation of MD5 (according to my testing). I'm well-versed in cryptography and have strong opinions about what algorithms I want and do not want; those opinions are based on research and fact, not a quick Google search. In fact, I happen to know that the documentation for GnuTLS is wrong when it claims that "[t]here are no known weaknesses of" MD2. Such weaknesses have been known for quite some time; in fact, certain weaknesses in the compression function have been known longer than (AFAICT) GnuTLS has existed. And that's to say nothing about it being dog-slow (14 times slower than SHA-256). > For this reason I'd suggest to use and provide a reasonable default > (NORMAL, or HIGH and let others modify it). Obviously, as we've discussed before, we disagree on a "reasonable default". If we can agree on such a default, that's fine, as long as it can be changed by the administrator. But that's not the matter here. This bug is discussing the use of OpenSSL-compatible cipher names. OpenSSL is *the* choice for cryptographic implementation in the GNU/Linux world. Which implementation (OpenSSL or GnuTLS) is actually being used is an implementation detail. If Debian uses GnuTLS for a program and Fedora uses OpenSSL, the cipher specifications for that program will be totally different—for no good reason. There's really no good reason for this. And the OpenSSL names, besides being more common, are shorter, clearer, and more easily understood. The GnuTLS priorities (which I am not proposing removing, only adding to) are defined only very vaguely in gnutls-cli(1). Looking at the source, RC4 is defined in SECURE256, and due to major weaknesses in its key scheduling (which can be used very effectively against e.g. WEP), I would absolutely not want to use it if any other choice were available. Had I not looked at the source, I would never have known this. I would certainly not class it as "secure". The OpenSSL syntax allows me to specify that it is to be the last possible choice: AES:CAMELLIA:3DES:@STRENGTH:+RC4:!EXPORT. I think it's reasonable to allow OpenSSL-compatible ciphersuite names. In fact, I think it's a really good idea. I would even implement it myself, but I refuse to assign copyright[0], and I'm not going to waste time writing code that will be thrown away. Nevertheless, I strongly urge you to support the OpenSSL syntax. [0] This is a blanket policy unless we've executed a consulting contract that says otherwise. I think that when I make a contribution to a project that it's only fair to be attributed as the author of my work; my copyright notice ensures that I get credit for the work I've done. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature