from small one page howto to huge articles all in one place

Other .linuxhowtos.org sites:toolsntoys.linuxhowtos.org
gentoo.linuxhowtos.org

poll results

Last additions:

words:

887

views:

20237

userrating:

average rating: 3.4 (205 votes) (1=very good 6=terrible)

May 25th. 2007:

Words

486

Views

36019

why adblockers are bad

Workaround and fixes for the current Core Dump Handling vulnerability affected kernels

words:

161

views:

20986

userrating:

average rating: 1.0 (50 votes) (1=very good 6=terrible)

April, 26th. 2006:

Words

Views

16053

New subdomain: toolsntoys.linuxhowtos.org

You are here: manpages

gnutls_priority_init

Section: gnutls (3)
Updated: 2.10.2
Index Return to Main Contents

NAME

gnutls_priority_init - API function

SYNOPSIS

#include <gnutls/gnutls.h>

int gnutls_priority_init(gnutls_priority_t * priority_cache, const char * priorities, const char ** err_pos);

ARGUMENTS

gnutls_priority_t * priority_cache: is a gnutls_prioritity_t structure.
const char * priorities: is a string describing priorities
const char ** err_pos: In case of an error this will have the position in the string the error occured

DESCRIPTION

Sets priorities for the ciphers, key exchange methods, MACs and compression methods. This provides a more flexible interface compared to the gnutls_*_priority functions.

The priorities parameter allows you to specify a colon separated list of the cipher priorities to enable.

Unless the first keyword is "NONE" the defaults (in preference order) are for TLS protocols TLS1.1, TLS1.0, SSL3.0; for compression NULL; for certificate types X.509, OpenPGP.

For key exchange algorithms when in NORMAL or SECURE levels the perfect forward secrecy algorithms take precedence of the other protocols. In all cases all the supported key exchange algorithms are enabled (except for the RSA-EXPORT which is only enabled in EXPORT level).

Note that although one can select very long key sizes (such as 256 bits) for symmetric algorithms, to actually increase security the public key algorithms have to use longer key sizes as well.

For all the current available algorithms and protocols use "gnutls-cli -l" to get a listing.

COMMON KEYWORDS

Some keywords are defined to provide quick access to common preferences.

"PERFORMANCE" means all the "secure" ciphersuites are enabled, limited to 128 bit ciphers and sorted by terms of speed performance.

"NORMAL" means all "secure" ciphersuites. The 256-bit ciphers are included as a fallback only. The ciphers are sorted by security margin.

"SECURE128" means all "secure" ciphersuites with ciphers up to 128 bits, sorted by security margin.

"SECURE256" means all "secure" ciphersuites including the 256 bit ciphers, sorted by security margin.

"EXPORT" means all ciphersuites are enabled, including the low-security 40 bit ciphers.

"NONE" means nothing is enabled. This disables even protocols and compression methods.

SPECIAL KEYWORDS

"!" or "-" appended with an algorithm will remove this algorithm.

"+" appended with an algorithm will add this algorithm.

"%COMPAT" will enable compatibility features for a server.

"%DISABLE_SAFE_RENEGOTIATION" will disable safe renegotiation completely. Do not use unless you know what you are doing. Testing purposes only.

"%UNSAFE_RENEGOTIATION" will allow handshakes and rehandshakes without the safe renegotiation extension. Note that for clients this mode is insecure (you may be under attack), and for servers it will allow insecure clients to connect (which could be fooled by an attacker). Do not use unless you know what you are doing and want maximum compatibility.

"%PARTIAL_RENEGOTIATION" will allow initial handshakes to proceed, but not rehandshakes. This leaves the client vulnerable to attack, and servers will be compatible with non-upgraded clients for initial handshakes. This is currently the default for clients and servers, for compatibility reasons.

"%SAFE_RENEGOTIATION" will enforce safe renegotiation. Clients and servers will refuse to talk to an insecure peer. Currently this causes operability problems, but is required for full protection.

"%SSL3_RECORD_VERSION" will use SSL3.0 record version in client hello.

"%VERIFY_ALLOW_SIGN_RSA_MD5" will allow RSA-MD5 signatures in certificate chains.

"%VERIFY_ALLOW_X509_V1_CA_CRT" will allow V1 CAs in chains.

NAMESPACE

To avoid collisions in order to specify a compression algorithm in this string you have to prefix it with "COMP-", protocol versions with "VERS-", signature algorithms with "SIGN-" and certificate types with "CTYPE-". Other algorithms don't need a prefix.

EXAMPLES

"NORMAL:!AES-128-CBC" means normal ciphers except for AES-128.

"EXPORT:!VERS-TLS1.0:+COMP-DEFLATE" means that export ciphers are enabled, TLS 1.0 is disabled, and libz compression enabled.

"NONE:+VERS-TLS1.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL", "NORMAL", "%COMPAT".

RETURNS

On syntax error GNUTLS_E_INVALID_REQUEST is returned, GNUTLS_E_SUCCESS on success, or an error code.

REPORTING BUGS

Report bugs to <bug-gnutls@gnu.org>. GnuTLS home page: http://www.gnu.org/software/gnutls/ General help using GNU software: http://www.gnu.org/gethelp/

COPYRIGHT

Copyright © 2008 Free Software Foundation.
Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved.