> I think that both the openssl and the gnutls cipher name constructs are > unnecessarily complex: there are maybe max 100 registered TLS > ciphersuites. A tiny portion of those are useful in normal situations. > I think it would be simpler if the administrator simply specified > exactly which TLS ciphersuite he wants, instead of trying to describe > what ciphersuites he want using some complicated naming scheme.
The problem with direct ciphersuite setting, is that administrators don't know what each ciphersuite does, offers or costs. Maybe they don't even care. That's why I think that the new priority API should be used for applications that want to provide configurable security levels such as "PERFORMANCE", "NORMAL", "SECURE128", "SECURE256" and even set individual ciphers if needed. By forcing an administrator to learn what 100 TLS ciphersuites do, and let him find the combinations he needs, it could have the negative effect of having reduced security. If one doesn't know what ciphersuites are he would just google and find a configuration that works no matter if it is secure or not. Interface should be simple to use for non-TLS experts. For this reason I'd suggest to use and provide a reasonable default (NORMAL, or HIGH and let others modify it). The functions and syntax are discussed here: http://www.gnu.org/software/gnutls/manual/html_node/Core-functions.html#gnutls_priority_init -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
