On Wed 2015-05-27 16:35:52 -0400, jonetsu wrote: > The output of the cipher listing, in FIPS mode, filtered for TLS1.2, gives: > > % gnutls-cli -l --priority NORMAL | grep 1.2 > > TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 > TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 > TLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 > TLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 > [...]
It appears you've trimmed the right-hand side of this transcript, where
TLS1.2 actually appears.
> Only GCM variation of AES. Why is GCM the only available AES variation in
> TLS1.2 ?
I think you're misunderstanding the output of gnutls-cli -l, which looks
like this:
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 0xc0, 0x2b TLS1.2
I think this line says that the TLS_ECDHE_ECDSA_AES_128_GCM_SHA256
ciphersuite is only available for TLS 1.2 and higher (because that is
when it when it was introduced).
You'll note that no ciphersuites are listed with a "TLS1.1" label,
despite the fact that GnuTLS will connect to a peer that only handles
TLS 1.1.
Similarly, there are ciphersuites marked with SSL3.0, despite the fact
that GnuTLS does not support SSLv3 any longer (SSLv3 is old and
known-broken[0]). These ciphersuites are listed that way because that's
the protocol version in which they were introduced.
hth,
--dkg
[0] https://tools.ietf.org/html/draft-ietf-tls-sslv3-diediedie-03
signature.asc
Description: PGP signature
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
