diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-12-19 11:52:47 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-12-19 11:52:47 +0000 |
| commit | 2b2c5eea84ea34ce1d4b5e5314ca252d04171e29 (patch) | |
| tree | e076baef80cb1c4be872f28360010892f1d0e3eb | |
| parent | 051ab1222e698565c5218431ba2ec3dcc29d7491 (diff) | |
| download | gnutls-2b2c5eea84ea34ce1d4b5e5314ca252d04171e29.tar.gz | |
*** empty log message ***
| -rw-r--r-- | doc/tex/cert_auth.tex | 12 | ||||
| -rw-r--r-- | doc/tex/ciphersuites.tex | 7 | ||||
| -rw-r--r-- | src/serv.c | 2 |
3 files changed, 10 insertions, 11 deletions
diff --git a/doc/tex/cert_auth.tex b/doc/tex/cert_auth.tex index cef7fc7536..8e71417c7f 100644 --- a/doc/tex/cert_auth.tex +++ b/doc/tex/cert_auth.tex @@ -60,12 +60,17 @@ the raw certificate of the peer and verify it using the functions discussed in section \ref{x509:trust} on page \pageref{x509:trust}. \par -In a handshake, the negotiated key exchange method depends on the +In a handshake, the negotiated cipher suite depends on the certificate's parameters, so not all key exchange methods will be available -with some certificates. That is a certificate with DSA parameters will not -be able to use the RSA key exchange method. +with some certificates. \gnutls{} will disable ciphersuites that are not compatible with the key, or +the enabled authentication methods. For example keys marked as sign-only, will not be able to +access the plain RSA ciphersuites, but only the DHE\_RSA ones. It is +recommended not to use RSA keys for both signing and encryption. If possible +use the same key for the DHE\_RSA and RSA\_EXPORT ciphersuites, which use signing, +and a different key for the plain RSA ciphersuites, which uses encryption. All the key exchange methods shown in \hyperref{figure}{figure }{}{fig:cert} are available in certificate authentication. + Note that the DHE key exchange methods require Diffie Hellman parameters to be generated and associated with a credentials structure. The RSA-EXPORT method requires 512 bit RSA parameters, which should also be generated @@ -77,6 +82,7 @@ and associated with the credentials structure. See the functions: \item \printfunc{gnutls_certificate_set_rsa_export_params}{gnutls\_certificate\_set\_rsa\_export\_params} \end{itemize} + \begin{figure}[hbtp] \index{Key exchange algorithms} \begin{tabular}{|l|p{9cm}|} diff --git a/doc/tex/ciphersuites.tex b/doc/tex/ciphersuites.tex index 72fe2f8a11..87c3a99135 100644 --- a/doc/tex/ciphersuites.tex +++ b/doc/tex/ciphersuites.tex @@ -23,12 +23,5 @@ and set priorities on the individual ciphers. It may imply that all combinations are allowed, but this is not true. For several reasons, not discussed here, some combinations were not defined in the \tls{} protocol. The supported ciphersuites are shown in appendix \ref{ap:ciphersuites} on page \pageref{ap:ciphersuites}. -\gnutls{} will disable ciphersuites that are not compatible with the key, or -the enabled authentication methods. -For example keys marked as sign-only, will not be able to -access the plain RSA ciphersuites, but only the DHE\_RSA ones. It is -recommended not to use RSA keys for both signing and encryption. If possible -use the same key for the DHE\_RSA and RSA\_EXPORT ciphersuites, which use signing, -and a different key for the plain RSA ciphersuites, which uses encryption. \addvspace{1.5cm} diff --git a/src/serv.c b/src/serv.c index 2fc08fbded..bd43904a74 100644 --- a/src/serv.c +++ b/src/serv.c @@ -666,7 +666,7 @@ int main(int argc, char **argv) if (generate != 0 || read_dh_params != NULL) { gnutls_certificate_set_dh_params(cert_cred, dh_params); - gnutls_certificate_set_rsa_params(cert_cred, rsa_params); + gnutls_certificate_set_rsa_export_params(cert_cred, rsa_params); } /* this is a password file (created with the included srpcrypt utility) |