[Bug 71304] prefer PFS cipher suites and TLS 1.2; optionally disable SSLv3, SSLv2
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed Nov 6 06:09:54 PST 2013
https://bugs.freedesktop.org/show_bug.cgi?id=71304
--- Comment #2 from Simon McVittie <simon.mcvittie at collabora.co.uk> ---
(In reply to comment #0)
> o prefer the latest version of TLS (TLS 1.2)
GNUTLS' "NORMAL" configuration does that, according to the documentation.
It's not clear to me how much NORMAL hurts interop vs. NORMAL:%COMPAT.
> o disable support for the older and less secure SSL standard
> (SSLv2 and SSLv3)
GNUTLS' "NORMAL" configuration disables SSLv2 but not SSLv3.
If we want to disable SSLv3, we'd use
NORMAL:%LATEST_RECORD_VERSION:-VERS-SSL3.0 or something like that.
> o provide configuration options to prefer or require cipher
> suites that enable forward secrecy
GNUTLS' "NORMAL" configuration prefers PFS, according to the documentation.
Disabling non-PFS altogether doesn't seem to be possible, at least in gnutls26
as shipped in Debian: there's no KX-ALL. We could say
NORMAL:-RSA:-SRP:-SRP-RSA:-SRP-DSS:-PSK:-ANON-DH:-RSA-EXPORT
(i.e. disable all current key exchange mechanisms except DHE-*) but then if a
new non-PFS algorithm is added, we still lose...
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
More information about the telepathy-bugs
mailing list