On Tue, 7 Dec 2004, Andreas Metzler wrote:
> Philip Hazel <ph10@???> wrote:
> [...]
> > Does it make sense to change the default order? What would you suggest?
> > The relevant code shows the current order:
>
> > static int default_cipher_priority[16] = {
> > GNUTLS_CIPHER_ARCFOUR_128,
> > GNUTLS_CIPHER_AES_128_CBC,
> > GNUTLS_CIPHER_3DES_CBC,
> > GNUTLS_CIPHER_ARCFOUR_40,
> > 0 };
>
> I'd appreciate if you could tell us which new ordering you have chosen
> once that has happened, as I'd like to replicate the change in Debian's
> exim packages rather sooner than later.
The consensus seems to be AES128, 3DES, ARCFOUR128, ARCFOUR40. There is
some debate about having ARCFOUR40 there at all, and I am wavering...
> * AES_256_CBC, AES_128_CBC, 3DES_CBC,
> * and ARCFOUR_128 for ciphers.
>
> Just as another datapoint.
That would suggest dropping ARCFOUR40 and adding AES256 at the start.
OK, that's what I'll think about doing.
> Afaict from NEWS
> gnutls_set_default_priority() was addedd in 0.5.9.
Exim uses gnutls_cipher_set_priority(). I guess that code predates the
new function. Or maybe it's something different. Sorry, I'm just not an
expert in this stuff.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book
