On Sun, 07 Jul 2013 19:36:18 +0200 Nikos Mavrogiannopoulos <[email protected]> wrote:
NM> On 07/02/2013 08:31 PM, Ted Zlatanov wrote: >> I think negotiating the connection twice is unacceptable for >> performance. We have to find a way to do it in one attempt, even if the >> user has to configure something about the exceptional servers. Can we >> always try ECDHE and only do DHE if the user tells us so? NM> You can always disable DHE. That way ECDHE will be negotiated with RSA NM> as fallback. I'm sorry to keep asking, but I can't find this explicitly in the manual. Maybe I'm looking in the wrong places. From http://gnutls.org/manual/html_node/Priority-Strings.html I am guessing that: 1) Including ANON-ECDH enables ECDHE 2) !DHE-RSA:!DHE-DSS disables DHE (not sure if DHE-RSA should be enabled for us) 3) NORMAL enables DHE and ECDHE Can you confirm this? It would be very nice if the initial keywords' description in that documentation page actually showed what's enabled by each one, especially "NORMAL". I also can't tell how to set the DH minimum prime bits in a priority string, if that's possible at all. I can write additions to the manual to explain any of the above if you think they are needed. Thanks! Ted _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
