manpagez: man pages & more
info gnutls
Home | html | info | man
[ << ] [ < ] [ Up ] [ > ] [ >> ]         [Top] [Contents] [Index] [ ? ]

7.9 Priority strings

In order to specify cipher suite preferences on a TLS session there are priority functions that accept a string specifying the enabled for the handshake algorithms. That string may contain a single initial keyword such as in Table 7.2 and may be followed by additional algorithm or special keywords.

PERFORMANCEAll the known to be secure ciphersuites are enabled, limited to 128 bit ciphers and sorted by terms of speed performance. The message authenticity security level is of 64 bits or more.
NORMALMeans all the known to be secure ciphersuites. The ciphers are sorted by security margin, although the 256-bit ciphers are included as a fallback only. The message authenticity security level is of 64 bits or more.
SECURE128Means all known to be secure ciphersuites that offer a security level 128-bit or more and a message authenticity security level of 80 bits or more.
SECURE192Means all the known to be secure ciphersuites that offer a security level 192-bit or more and a message authenticity security level of 128 bits or more.
SECURE256Currently alias for SECURE192.
SUITEB128Means all the NSA Suite B cryptography (RFC5430) ciphersuites with an 128 bit security level.
SUITEB192Means all the NSA Suite B cryptography (RFC5430) ciphersuites with an 192 bit security level.
EXPORTMeans all ciphersuites are enabled, including the low-security 40 bit ciphers.
NONEMeans nothing is enabled. This disables even protocols and compression methods. It should be followed by the algorithms to be enabled.

Table 7.2: Supported initial keywords.

Unless the initial keyword is "NONE" the defaults (in preference order) are for TLS protocols TLS 1.2, TLS1.1, TLS1.0, SSL3.0; for compression NULL; for certificate types X.509. In key exchange algorithms when in NORMAL or SECURE levels the perfect forward secrecy algorithms take precedence of the other protocols. In all cases all the supported key exchange algorithms are enabled(14).

Note that the SECURE levels distinguish between overall security level and message authenticity security level. That is because the message authenticity security level requires the adversary to break the algorithms at real-time during the protocol run, whilst the overall security level refers to off-line adversaries (e.g. adversaries breaking the ciphertext years after it was captured).

The NONE keyword, if used, must followed by keywords specifying the algorithms and protocols to be enabled. The other initial keywords may be followed by such keywords. The order with which every algorithm or protocol is specified is significant. Algorithms specified before others will take precedence. The supported algorithms and protocols are shown in Table 7.3. To avoid collisions in order to specify a compression algorithm in the priority string you have to prefix it with "COMP-", protocol versions with "VERS-", signature algorithms with "SIGN-" and certificate types with "CTYPE-". All other algorithms don’t need a prefix. Each specified keyword can be prefixed with any of the following characters.

’!’ or ’-’

appended with an algorithm will remove this algorithm.


appended with an algorithm will add this algorithm.

CiphersAES-128-CBC, AES-256-CBC, AES-128-GCM, CAMELLIA-128-CBC, CAMELLIA-256-CBC, ARCFOUR-128, 3DES-CBC ARCFOUR-40. Catch all name is CIPHER-ALL which will add all the algorithms from NORMAL priority.
Key exchangeRSA, DHE-RSA, DHE-DSS, SRP, SRP-RSA, SRP-DSS, PSK, DHE-PSK, ECDHE-RSA, ANON-ECDH, ANON-DH, RSA-EXPORT. The Catch all name is KX-ALL which will add all the algorithms from NORMAL priority.
MACMD5, SHA1, SHA256, AEAD (used with GCM ciphers only). All algorithms from NORMAL priority can be accessed with MAC-ALL.
Compression algorithmsCOMP-NULL, COMP-DEFLATE. Catch all is COMP-ALL.
TLS versionsVERS-SSL3.0, VERS-TLS1.0, VERS-TLS1.1, VERS-TLS1.2, VERS-DTLS1.0. Catch all is VERS-TLS-ALL.
Signature algorithmsSIGN-RSA-SHA1, SIGN-RSA-SHA224, SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-DSA-SHA1, SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5. Catch all is SIGN-ALL. This is only valid for TLS 1.2 and later.
Elliptic curvesCURVE-SECP192R1, CURVE-SECP224R1, CURVE-SECP256R1, CURVE-SECP384R1, CURVE-SECP521R1. Catch all is CURVE-ALL.

Table 7.3: The supported algorithm keywords in priority strings.

Note that the DHE key exchange methods are generally slower(15) than their elliptic curves counterpart (ECDHE). Moreover the plain Diffie-Hellman key exchange requires parameters to be generated and associated with a credentials structure by the server (see Parameter generation).

The available special keywords are shown in Table 7.4.

%COMPATwill enable compatibility mode. It might mean that violations of the protocols are allowed as long as maximum compatibility with problematic clients and servers is achieved. More specifically this string would disable TLS record random padding and tolerate packets over the maximum allowed TLS record.
%NO_EXTENSIONSwill prevent the sending of any TLS extensions in client side. Note that TLS 1.2 requires extensions to be used, as well as safe renegotiation thus this option must be used with care.
%SERVER_PRECEDENCEThe ciphersuite will be selected according to server priorities and not the client’s.
%DISABLE_SAFE_RENEGOTIATIONwill disable safe renegotiation completely. Do not use unless you know what you are doing. Testing purposes only.
%UNSAFE_RENEGOTIATIONwill allow handshakes and re-handshakes without the safe renegotiation extension. Note that for clients this mode is insecure (you may be under attack), and for servers it will allow insecure clients to connect (which could be fooled by an attacker). Do not use unless you know what you are doing and want maximum compatibility.
%PARTIAL_RENEGOTIATIONwill allow initial handshakes to proceed, but not re-handshakes. This leaves the client vulnerable to attack, and servers will be compatible with non-upgraded clients for initial handshakes. This is currently the default for clients and servers, for compatibility reasons.
%SAFE_RENEGOTIATIONwill enforce safe renegotiation. Clients and servers will refuse to talk to an insecure peer. Currently this causes interoperability problems, but is required for full protection.
%SSL3_RECORD_VERSIONwill use SSL3.0 record version in client hello. This is the default.
%LATEST_RECORD_VERSIONwill use the latest TLS version record version in client hello.
%VERIFY_ALLOW_SIGN_RSA_MD5will allow RSA-MD5 signatures in certificate chains.
%VERIFY_ALLOW_X509_V1_CA_CRTwill allow V1 CAs in chains.

Table 7.4: Special priority string keywords.

Finally the ciphersuites enabled by any priority string can be listed using the gnutls-cli application (see Invoking gnutls-cli), or by using the priority functions as in Listing the ciphersuites in a priority string.

Example priority strings are:

The default priority without the HMAC-MD5:

Specifying RSA with AES-128-CBC:

Specifying the defaults except ARCFOUR-128:

Enabling the 128-bit secure ciphers, while disabling SSL 3.0 and enabling compression:

[ << ] [ < ] [ Up ] [ > ] [ >> ]         [Top] [Contents] [Index] [ ? ]

This document was generated on March 2, 2012 using texi2html 5.0.

© 2000-2018
Individual documents may contain additional copyright information.