Your message dated Sat, 14 Apr 2012 16:23:49 +0200
with message-id <[email protected]>
and subject line Re: Bug#665766: libgnutls26: should prefer TLS 1.2/ECC cipher
suites
has caused the Debian Bug report #665766,
regarding libgnutls26: should prefer TLS 1.2/ECC cipher suites
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
665766: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665766
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libgnutls26
Version: 2.12.18-1
Severity: wishlist
File: /usr/lib/x86_64-linux-gnu/libgnutls.so.26
Now that OpenSSL 1.0.1 is in sid, mutt can now talk to my dovecot IMAP
server using TLS 1.2 [0]. However, I was disappointed to discover that
mutt (which does not have knobs for cipher suites) still uses
DHE-RSA/AES-128-CBC/SHA1.
Since my processor supports the Intel AESNI instructions, using GCM is
very significantly faster than using HMAC (approximately 225% faster)
using my own implementation, and runs at almost exactly the same speed
as CBC with HMAC-SHA1 (and 47% faster than CBC with HMAC-SHA256) using
libgnutls26's unaccelerated implementation.
Also, using ECC suites like ECDHE is faster and much more secure than
using plain DH. This also means that #476441 should be viewed in a new
light; specifically, using ECC cipher suites means that the public-key
operations can be of equivalent length to the symmetric-key operations.
Finally, if HMAC is going to be used, a stronger hash algorithm than
SHA-1 should be chosen. SHA-1 has demonstrable weaknesses that have not
been determined to be present in SHA-256, SHA-384, or SHA-512.
Currently, GnuTLS by default offers no GCM suites, offers no ECC suites
(or ECC curve extensions), prefers the SHA-1 algorithms over the SHA-256
algorithms, and even specifies a cipher suite using MD5
(TLS_RSA_WITH_RC4_128_MD5)!
I'd like to request that at least when negotiating TLS 1.2, that GCM be
preferred over CBC, that ECC suites be preferred over non-ECC ones, and
that if HMAC is used SHA-256 be preferred over SHA-1. I would like to
point out that except for the latter decision (which is slightly
slower), all of these have the effect of improving *both* performance
and security.
[0] My dovecot server is using
AESGCM:ECDH:ALL:-MD5:-RC4:!LOW:!SSLv2:!EXP:!aNULL as the cipher suite
specification.
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.3.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libgnutls26 depends on:
ii libc6 2.13-27
ii libgcrypt11 1.5.0-3
ii libp11-kit0 0.12-2
ii libtasn1-3 2.12-1
ii multiarch-support 2.13-27
ii zlib1g 1:1.2.6.dfsg-2
libgnutls26 recommends no packages.
libgnutls26 suggests no packages.
-- no debconf information
-- debsums errors found:
debsums: package libgnutls26 is not installed
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
On 2012-03-30 Nikos Mavrogiannopoulos <[email protected]> wrote:
> > Now that OpenSSL 1.0.1 is in sid, mutt can now talk to my dovecot IMAP
> > server using TLS 1.2 [0]. However, I was disappointed to discover that
> > mutt (which does not have knobs for cipher suites) still uses
> > DHE-RSA/AES-128-CBC/SHA1.
> Hello,
> libgnutls26 doesn't support elliptic curves or AES-GCM. These were
> added in gnutls 3.0.x, and are indeed used with higher priority if the
> host system supports the AESNI/PCLMUL instructions.
> > Also, using ECC suites like ECDHE is faster and much more secure than
> > using plain DH.
> ECDH is faster than plain DH on the same security levels but there is
> no evidence known to me suggesting it is more secure.
> (it is the same algorithm under a different group)
> > Finally, if HMAC is going to be used, a stronger hash algorithm than
> > SHA-1 should be chosen. SHA-1 has demonstrable weaknesses that have not
> > been determined to be present in SHA-256, SHA-384, or SHA-512.
> I'm not aware of weaknesses in SHA-1 when used with the HMAC
> construction. The application you are using though should have
> provided a way for you to force alternative algorithms (e.g. via a
> gnutls priority string).
Closing. Versions that support the algoritm already do the right
thing.
cu andreas
--- End Message ---
