[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6251) GnuTLS cipher suite failure

hyc@symas.com wrote:
> In fact, the list must be colon separated, and the "+" is required. Just
> listing the name will cause an error. Also, the actual suite names cannot be
> used, only the individual algorithm names are recognized. So instead of the
> suite name "TLS_RSA_AES_256_CBC_SHA1" you must specify "+AES-256-CBC:+SHA1".

To be precise, you must specify "+RSA:+AES-256-CBC:+SHA1".

> This method is more error-prone, because it makes it possible to specify a
> list of algorithms that do not conform to any valid suite.
> All in all, it may be best to revert back to using our own suite parser and
> ignore the one GnuTLS provides.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/