Re: Providing Webfs with GnuTLS-support.
Mats Erik Andersson <mats.andersson@gisladisker.se> writes:
> Hello,
>
> the package for the small web server Webfs has had SSL-support inactivated
> at least since July 2006, when #395873 began discussing migration to GnuTLS.
> Nothing ever happened, but now, having recently adopted the package, I am
> prepared to submit a new packaging of Webfs that does activate SSL/TLS
> by linking against GnuTLS.
Great!
> First off, is there some group or individual that has stated a willingness
> to perform a pre-release examination, in order that a GnuTLS-migration does
> not introduce security breaches, that had better be accounted for before
> any public package release? Or is the scrutiny during unstable and testing
> phases deemed sufficient?
Is there any particular reason you worry? If not, I believe the normal
process is the best we can get.
> Secondly, my implementation uses a few compiler macros to enable an
> independent administrator to recompile the package with costumized
> settings. My present intention is to use code equivalent to
>
> #define WEBFS_CIPHERS "SECURE256"
> #undefine USE_TLS_COMPATIBILITY
>
> influensing code snippets
>
> gnutls_priority_init(&tls_priority_cache, WEBFS_CIPHERS, NULL);
Ideally, the priority string should come from a configuration file
rather than being hard coded. Isn't there one?
Also, I'm not sure SECURE256 makes sense, it will reject RSA-SHA-1
signatures (because it has key bit length < 256).
I would strongly recommend sticking to "NORMAL" unless there is any
explicit reason not to.
> gnutls_session_enable_compatibility_mode(client_session);
This disables record padding, which seems like a bad idea to activate.
> Bearing in mind the behaviour of different webb clients, could there
> be relevant reasons to relax these to "NORMAL", and a default activation
> of compatibility mode? My initial impulse is to refrain from this.
I recommend to use NORMAL and not disable record padding.
/Simon
Reply to: