Changeset c3c96ca in mod_gnutls for doc


Ignore:
Timestamp:
Jun 20, 2016, 2:51:01 PM (7 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
asyncio, debian/master, debian/stretch-backports, main, master, proxy-ticket, upstream
Children:
df49a2d
Parents:
fc124e9
git-author:
Thomas Klute <thomas2.klute@…> (06/20/16 14:47:43)
git-committer:
Thomas Klute <thomas2.klute@…> (06/20/16 14:51:01)
Message:

Handbook: Update and simplify description of GnuTLSPriorities

The section has been shortened quite a bit. Anyone who is looking to
build their own priority list should really consult the GnuTLS
documentation. A rarely updated handbook is not the right place for
advice on cipher suites.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • doc/mod_gnutls_manual.mdwn

    rfc124e9 rc3c96ca  
    325325------------------
    326326
    327 Set the allowed ciphers, key exchange algorithms, MACs and compression
    328 methods
     327Set the allowed protocol versions, ciphers, key exchange algorithms,
     328MACs and compression methods
    329329
    330330    GnuTLSPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
     
    333333Context: server config, virtual host
    334334
    335 Takes a semi-colon separated list of ciphers, key exchange methods
    336 Message authentication codes and compression methods to enable.
    337 The allowed keywords are specified in the `gnutls_priority_init()`
    338 function of GnuTLS.
    339 
    340 Full details can be found at [the GnuTLS documentation](http://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings).
    341 In brief you can specify a set of ciphersuites from the choices:
    342 
    343 `NONE`
    344 :   The empty list.
    345 
    346 `EXPORT`
    347 :   A list with all the supported cipher combinations
    348     including the `EXPORT` strength algorithms.
     335Takes a colon separated list of protocol version, ciphers, key
     336exchange methods message authentication codes, and compression methods
     337to enable. The allowed keywords are specified in the
     338`gnutls_priority_init()` function of GnuTLS.
     339
     340Please refer to [the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings)
     341for details. A few commonly used sets are listed below, note that
     342their exact meaning may change with GnuTLS versions.
    349343
    350344`PERFORMANCE`
    351 :   A list with all the secure cipher combinations sorted in terms of performance.
     345:   A list with all the secure cipher combinations sorted in terms of
     346    performance.
    352347
    353348`NORMAL`
     
    355350    with respect to security margin (subjective term).
    356351
    357 `SECURE`
    358 :   A list with all the secure cipher combinations including
    359     the 256-bit ciphers sorted with respect to security margin.
    360 
    361 Additionally you can add or remove algorithms using the `+` and `!`
    362 prefixes respectively.
    363 
    364 For example, in order to disable the `ARCFOUR` cipher from the `NORMAL` set
    365 you can use the string `NORMAL:!ARCFOUR-128`
    366 
    367 Other options such as the protocol version and the compression method
    368 can be specified using the `VERS-` and `COMP-` prefixes.
    369 
    370 So in order to remove or add a specific TLS version from the `NORMAL`
    371 set, use `NORMAL:!VERS-SSL3.0`.  And to enable zlib compression use
    372 `NORMAL:+COMP-DEFLATE`.
    373 
    374 
    375 However it is recommended not to add compression at this level.  With
    376 the `NONE` set, in order to be usable, you have to specify a complete
    377 set of combinations of protocol versions, cipher algorithms
    378 (`AES-128-CBC`), key exchange algorithms (`RSA`), message
    379 authentication codes (`SHA1`) and compression methods (`COMP-NULL`).
     352`SECURE128`
     353:   A list with all the secure cipher suites that offer a security level
     354    of 128-bit or more.
     355
     356`PFS`
     357:   Only cipher suites offering perfect forward secrecy (ECDHE and DHE),
     358    sorted by security margin.
     359
     360You can add or remove algorithms using the `+` and `!` prefixes
     361respectively. For example, in order to use the `NORMAL` set but
     362disable TLS 1.0 and 1.1 you can use the string
     363`NORMAL:!VERS-TLS1.0:!VERS-TLS1.1`.
    380364
    381365You can find a list of all supported Ciphers, Versions, MACs, etc.  by
    382366running `gnutls-cli --list`.
    383 
    384 The special keyword `%COMPAT` will disable some security features such
    385 as protection against statistical attacks to ciphertext data in order to
    386 achieve maximum compatibility (some broken mobile clients need this).
    387367
    388368`GnuTLSP11Module`
Note: See TracChangeset for help on using the changeset viewer.