Next: , Previous: , Up: System-wide configuration of the library   [Contents][Index]

8.2 Disabling algorithms and protocols

The approach above works well to create consistent system-wide settings for cooperative GnuTLS applications. When an application however does not use the gnutls_set_default_priority or gnutls_set_default_priority_append functions, the method is not sufficient to prevent applications from using protocols or algorithms forbidden by a local policy. The override method described below enables the deprecation of algorithms and protocols system-wide for all applications.

The available options must be set in the [overrides] section of the configuration file and can be

Each of the options can be repeated multiple times when multiple values need to be disabled.

The valid values for the options above can be found in the ’Protocols’, ’Digests’ ’PK-signatures’, ’Protocols’, ’Ciphrers’, and ’MACs’ fields of the output of gnutls-cli --list.

8.2.1 Examples

The following example marks as insecure all digital signature algorithms which depend on SHA384, as well as the RSA-SHA1 signature algorithm.

insecure-hash = sha384
insecure-sig = rsa-sha1

The following example marks RSA-SHA256 as insecure for use in certificates and disables the TLS1.0 and TLS1.1 protocols.

insecure-sig-for-cert = rsa-sha256
disabled-version = tls1.0
disabled-version = tls1.1

The following example disables the AES-128-CBC and AES-256-CBC ciphers, the HMAC-SHA1 MAC algorithm and the GROUP-FFDHE8192 group for TLS and DTLS protocols.

tls-disabled-cipher = aes-128-cbc
tls-disabled-cipher = aes-256-cbc
tls-disabled-mac = sha1
tls-disabled-group = group-ffdhe8192

Next: , Previous: , Up: System-wide configuration of the library   [Contents][Index]