Mats Erik Andersson <mats.anders...@gisladisker.se> writes: > Hello, > > the package for the small web server Webfs has had SSL-support inactivated > at least since July 2006, when #395873 began discussing migration to GnuTLS. > Nothing ever happened, but now, having recently adopted the package, I am > prepared to submit a new packaging of Webfs that does activate SSL/TLS > by linking against GnuTLS.
Great! > First off, is there some group or individual that has stated a willingness > to perform a pre-release examination, in order that a GnuTLS-migration does > not introduce security breaches, that had better be accounted for before > any public package release? Or is the scrutiny during unstable and testing > phases deemed sufficient? Is there any particular reason you worry? If not, I believe the normal process is the best we can get. > Secondly, my implementation uses a few compiler macros to enable an > independent administrator to recompile the package with costumized > settings. My present intention is to use code equivalent to > > #define WEBFS_CIPHERS "SECURE256" > #undefine USE_TLS_COMPATIBILITY > > influensing code snippets > > gnutls_priority_init(&tls_priority_cache, WEBFS_CIPHERS, NULL); Ideally, the priority string should come from a configuration file rather than being hard coded. Isn't there one? Also, I'm not sure SECURE256 makes sense, it will reject RSA-SHA-1 signatures (because it has key bit length < 256). I would strongly recommend sticking to "NORMAL" unless there is any explicit reason not to. > gnutls_session_enable_compatibility_mode(client_session); This disables record padding, which seems like a bad idea to activate. > Bearing in mind the behaviour of different webb clients, could there > be relevant reasons to relax these to "NORMAL", and a default activation > of compatibility mode? My initial impulse is to refrain from this. I recommend to use NORMAL and not disable record padding. /Simon -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87r5nknzv1....@mocca.josefsson.org
