diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-02-16 20:54:36 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-02-16 20:55:12 +0100 |
| commit | 2d3c1568f4440d5b83c47b05bfbf0064643aa50b (patch) | |
| tree | aecb8d499e369eeec588299dc0b1b457ab87b93c | |
| parent | 5ccf2978641d313ec5a1dc77c7475820076f77a3 (diff) | |
| download | gnutls-2d3c1568f4440d5b83c47b05bfbf0064643aa50b.tar.gz | |
reorganization of ciphersuite discussion.
| -rw-r--r-- | doc/cha-intro-tls.texi | 64 |
1 files changed, 30 insertions, 34 deletions
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi index fd332b74df..d694d4dd1b 100644 --- a/doc/cha-intro-tls.texi +++ b/doc/cha-intro-tls.texi @@ -316,10 +316,38 @@ To set whether client certificate is required or not. To initiate the handshake. @end table +@subsection TLS Cipher Suites + +The Handshake Protocol of @acronym{TLS} negotiates cipher suites of +the form @code{TLS_DHE_RSA_WITH_3DES_CBC_SHA}. The usual cipher +suites contain these parameters: + +@itemize + +@item The key exchange algorithm. +@code{DHE_RSA} in the example. + +@item The Symmetric encryption algorithm and mode +@code{3DES_CBC} in this example. + +@item The MAC@footnote{MAC stands for Message Authentication Code. It can be described as a keyed hash algorithm. See RFC2104.} algorithm used for authentication. +@code{MAC_SHA} is used in the above example. + +@end itemize + +The cipher suite negotiated in the handshake protocol will affect the +Record Protocol, by enabling encryption and data authentication. Note +that you should not over rely on @acronym{TLS} to negotiate the +strongest available cipher suite. Do not enable ciphers and algorithms +that you consider weak. + +All the supported ciphersuites are shown in @ref{ciphersuites}. + @subsection Priority strings -The previously shown priority functions accept a string +In order to specify cipher suite preferences, the +previously shown priority functions accept a string that specifies the algorithms to be enabled in a TLS handshake. -This string may contain some high level keyword such as: +That string may contain some high level keyword such as: @table @asis @item PERFORMANCE: @@ -463,38 +491,6 @@ will allow V1 CAs in chains. @end table -@subsection TLS Cipher Suites - -The Handshake Protocol of @acronym{TLS} negotiates cipher suites of -the form @code{TLS_DHE_RSA_WITH_3DES_CBC_SHA}. The usual cipher -suites contain these parameters: - -@itemize - -@item The key exchange algorithm. -@code{DHE_RSA} in the example. - -@item The Symmetric encryption algorithm and mode -@code{3DES_CBC} in this example. - -@item The MAC@footnote{MAC stands for Message Authentication Code. It can be described as a keyed hash algorithm. See RFC2104.} algorithm used for authentication. -@code{MAC_SHA} is used in the above example. - -@end itemize - -The cipher suite negotiated in the handshake protocol will affect the -Record Protocol, by enabling encryption and data authentication. Note -that you should not over rely on @acronym{TLS} to negotiate the -strongest available cipher suite. Do not enable ciphers and algorithms -that you consider weak. - -The priority functions, dicussed above, allow the application layer to -enable and set priorities on the individual ciphers. It may imply that -all combinations of ciphersuites are allowed, but this is not -true. For several reasons, not discussed here, some combinations were -not defined in the @acronym{TLS} protocol. The supported ciphersuites -are shown in @ref{ciphersuites}. - @subsection Client Authentication @cindex Client Certificate authentication |