[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6251) GnuTLS cipher suite failure

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6251) GnuTLS cipher suite failure
From: hyc@symas.com
Date: Thu, 13 Aug 2009 00:22:59 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

hyc@symas.com wrote:
> In fact, the list must be colon separated, and the "+" is required. Just
> listing the name will cause an error. Also, the actual suite names cannot be
> used, only the individual algorithm names are recognized. So instead of the
> suite name "TLS_RSA_AES_256_CBC_SHA1" you must specify "+AES-256-CBC:+SHA1".

To be precise, you must specify "+RSA:+AES-256-CBC:+SHA1".

> This method is more error-prone, because it makes it possible to specify a
> list of algorithms that do not conform to any valid suite.
>
> All in all, it may be best to revert back to using our own suite parser and
> ignore the one GnuTLS provides.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#6252) GnuTLS subjectAltNames broken
Next by Date: Re: (ITS#6140) nadf.schema: AttributeType not found: "lastModifiedTime"
Index(es):
- Chronological
- Thread