help-gnutls
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

priority strings behavior

From: ben thielsen
Subject: priority strings behavior
Date: Tue, 5 Jul 2011 02:41:47 -0400 
hi-

i'm experimenting a bit with setting specific priority strings.  i've been 
reading some of the documentation, namely gnutls.pdf from 
http://www.gnu.org/software/gnutls/documentation.html and man 1 gnutls-cli, but 
i think some of the nuances are escaping me.  i get the feeling that specifying 
certain things [specifically, cipher suites] will inherently also enable other 
certain things - is this true?  are the cipher suites just shorthand methods 
for enabling multiple other specific things at once?  is there somewhere 
documented which settings turn on other settings, and what they are?

more specifically, i'd like to enable only the following:

protocols:
TLS1.2
TLS1.1

certificate types:
X.509
OPENPGP

ciphers:
AES-256-CBC
CAMELLIA-256-CBC

macs:
SHA512

key exchange methods:
RSA DHE-DSS
DHE-RSA
DHE-PSK
SRP
SRP-DSS
SRP-RSA
PSK

public key algorithms:
RSA
DSA

public key signature algorithms:
SIGN-RSA-SHA512
SIGN-DSA-SHA256

compression:
DEFLATE
NULL

but - given the output of gnutls-cli --list:

>gnutls-cli --list
Cipher suites:
TLS_ANON_DH_ARCFOUR_MD5                                 0x00, 0x18      SSL3.0
TLS_ANON_DH_3DES_EDE_CBC_SHA1                           0x00, 0x1b      SSL3.0
TLS_ANON_DH_AES_128_CBC_SHA1                            0x00, 0x34      SSL3.0
TLS_ANON_DH_AES_256_CBC_SHA1                            0x00, 0x3a      SSL3.0
TLS_ANON_DH_CAMELLIA_128_CBC_SHA1                       0x00, 0x46      TLS1.0
TLS_ANON_DH_CAMELLIA_256_CBC_SHA1                       0x00, 0x89      TLS1.0
TLS_PSK_SHA_ARCFOUR_SHA1                                0x00, 0x8a      TLS1.0
TLS_PSK_SHA_3DES_EDE_CBC_SHA1                           0x00, 0x8b      TLS1.0
TLS_PSK_SHA_AES_128_CBC_SHA1                            0x00, 0x8c      TLS1.0
TLS_PSK_SHA_AES_256_CBC_SHA1                            0x00, 0x8d      TLS1.0
TLS_DHE_PSK_SHA_ARCFOUR_SHA1                            0x00, 0x8e      TLS1.0
TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1                       0x00, 0x8f      TLS1.0
TLS_DHE_PSK_SHA_AES_128_CBC_SHA1                        0x00, 0x90      TLS1.0
TLS_DHE_PSK_SHA_AES_256_CBC_SHA1                        0x00, 0x91      TLS1.0
TLS_SRP_SHA_3DES_EDE_CBC_SHA1                           0xc0, 0x1a      TLS1.0
TLS_SRP_SHA_AES_128_CBC_SHA1                            0xc0, 0x1d      TLS1.0
TLS_SRP_SHA_AES_256_CBC_SHA1                            0xc0, 0x20      TLS1.0
TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1                       0xc0, 0x1c      TLS1.0
TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1                       0xc0, 0x1b      TLS1.0
TLS_SRP_SHA_DSS_AES_128_CBC_SHA1                        0xc0, 0x1f      TLS1.0
TLS_SRP_SHA_RSA_AES_128_CBC_SHA1                        0xc0, 0x1e      TLS1.0
TLS_SRP_SHA_DSS_AES_256_CBC_SHA1                        0xc0, 0x22      TLS1.0
TLS_SRP_SHA_RSA_AES_256_CBC_SHA1                        0xc0, 0x21      TLS1.0
TLS_DHE_DSS_ARCFOUR_SHA1                                0x00, 0x66      TLS1.0
TLS_DHE_DSS_3DES_EDE_CBC_SHA1                           0x00, 0x13      SSL3.0
TLS_DHE_DSS_AES_128_CBC_SHA1                            0x00, 0x32      SSL3.0
TLS_DHE_DSS_AES_256_CBC_SHA1                            0x00, 0x38      SSL3.0
TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1                       0x00, 0x44      TLS1.0
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1                       0x00, 0x87      TLS1.0
TLS_DHE_RSA_3DES_EDE_CBC_SHA1                           0x00, 0x16      SSL3.0
TLS_DHE_RSA_AES_128_CBC_SHA1                            0x00, 0x33      SSL3.0
TLS_DHE_RSA_AES_256_CBC_SHA1                            0x00, 0x39      SSL3.0
TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1                       0x00, 0x45      TLS1.0
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1                       0x00, 0x88      TLS1.0
TLS_RSA_NULL_MD5                                        0x00, 0x01      SSL3.0
TLS_RSA_EXPORT_ARCFOUR_40_MD5                           0x00, 0x03      SSL3.0
TLS_RSA_ARCFOUR_SHA1                                    0x00, 0x05      SSL3.0
TLS_RSA_ARCFOUR_MD5                                     0x00, 0x04      SSL3.0
TLS_RSA_3DES_EDE_CBC_SHA1                               0x00, 0x0a      SSL3.0
TLS_RSA_AES_128_CBC_SHA1                                0x00, 0x2f      SSL3.0
TLS_RSA_AES_256_CBC_SHA1                                0x00, 0x35      SSL3.0
TLS_RSA_CAMELLIA_128_CBC_SHA1                           0x00, 0x41      TLS1.0
TLS_RSA_CAMELLIA_256_CBC_SHA1                           0x00, 0x84      TLS1.0
Certificate types: X.509, OPENPGP
Protocols: SSL3.0, TLS1.0, TLS1.1, TLS1.2
Ciphers: AES-256-CBC, AES-128-CBC, 3DES-CBC, DES-CBC, ARCFOUR-128, ARCFOUR-40, 
RC2-40, CAMELLIA-256-CBC, CAMELLIA-128-CBC, NULL
MACs: SHA1, MD5, SHA256, SHA384, SHA512, MD2, RIPEMD160, NULL
Key exchange algorithms: ANON-DH, RSA, RSA-EXPORT, DHE-RSA, DHE-DSS, SRP-DSS, 
SRP-RSA, SRP, PSK, DHE-PSK
Compression: DEFLATE, NULL
Public Key Systems: RSA, DSA
PK-signatures: RSA-SHA, RSA-SHA256, RSA-SHA384, RSA-SHA512, RSA-RMD160, 
DSA-SHA, RSA-MD5, RSA-MD2

...it seems like there's some contradiction between the list of cipher suites 
and the list of MACs?  i can somehow use sha512, but none of the cipher suites 
can?

this particular instance is older:
>gnutls-cli -v
gnutls-cli (GnuTLS) 2.8.6

...and i see here 

http://www.gnu.org/software/gnutls/manual/html_node/All-the-supported-ciphersuites-in-GnuTLS.html#ciphersuites

that there appear to be some sha2 algorithms listed in the ciphersuites for 
perhaps newer versions - but even then, no 512 - just 256?

thanks
-ben
reply via email to
[Prev in Thread] Current Thread [Next in Thread]