NAME
gnutls_priority_init - Sets priorities for the cipher suites supported
by gnutls.
SYNOPSIS
#include <gnutls/gnutls.h>
int gnutls_priority_init(gnutls_priority_t * priority_cache, const char
* priorities, const char ** err_pos);
ARGUMENTS
gnutls_priority_t * priority_cache
is a gnutls_prioritity_t structure.
const char * priorities
is a string describing priorities
const char ** err_pos
In case of an error this will have the position in the
string the error occured
DESCRIPTION
Sets priorities for the ciphers, key exchange methods, macs and
compression methods. This is to avoid using the gnutls_*_priority()
functions.
The priorities option allows you to specify a semi-colon separated list
of the cipher priorities to enable.
Unless the first keyword is "NONE" the defaults (in preference order)
are for TLS protocols TLS1.1, TLS1.0, SSL3.0; for compression NULL; for
certificate types X.509, OpenPGP.
For key exchange algorithms when in NORMAL or SECURE levels the perfect
forward secrecy algorithms take precendence of the other protocols. In
all cases all the supported key exchange algorithms are enabled (except
for the RSA-EXPORT which is only enabled in EXPORT level).
Note that although one can select very long key sizes (such as 256
bits) for symmetric algorithms, to actually increase security the
public key algorithms have to use longer key sizes as well.
For all the current available algorithms and protocols use "gnutls-cli
-l" to get a listing.
COMMON KEYWORDS
Some keywords are defined to provide quick access to common
preferences.
"PERFORMANCE" means all the "secure" ciphersuites are enabled, limited
to 128 bit ciphers and sorted by terms of speed performance.
"NORMAL" means all "secure" ciphersuites. The 256-bit ciphers are
included as a fallback only. The ciphers are sorted by security
margin.
"SECURE128" means all "secure" ciphersuites with ciphers up to 128
bits, sorted by security margin.
"SECURE256" means all "secure" ciphersuites including the 256 bit
ciphers, sorted by security margin.
"EXPORT" means all ciphersuites are enabled, including the low-security
40 bit ciphers.
"NONE" means nothing is enabled. This disables even protocols and
compression methods.
SPECIAL KEYWORDS
"!" or "-" appended with an algorithm will remove this algorithm.
"+" appended with an algorithm will add this algorithm.
"%COMPAT" will enable compatibility features for a server.
"%SSL3_RECORD_VERSION" will use SSL3.0 record version in client hello.
"%VERIFY_ALLOW_SIGN_RSA_MD5" will allow RSA-MD5 signatures in
certificate chains.
"%VERIFY_ALLOW_X509_V1_CA_CRT" will allow V1 CAs in chains.
NAMESPACE CONCERN
To avoid collisions in order to specify a compression algorithm in this
string you have to prefix it with "COMP-", protocol versions with
"VERS-" and certificate types with "CTYPE-". All other algorithms don’t
need a prefix.
EXAMPLES
"NORMAL:!AES-128-CBC" means normal ciphers except for AES-128.
"EXPORT:!VERS-TLS1.0:+COMP-DEFLATE" means that export ciphers are
enabled, TLS 1.0 is disabled, and libz compression enabled.
"NONE:+VERS-TLS1.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL", "NORMAL",
"%COMPAT".
RETURNS
On syntax error GNUTLS_E_INVALID_REQUEST is returned, GNUTLS_E_SUCCESS
on success, or an error code.
REPORTING BUGS
Report bugs to <bug-gnutls@gnu.org>. GnuTLS home page:
http://www.gnu.org/software/gnutls/ General help using GNU software:
http://www.gnu.org/gethelp/
COPYRIGHT
Copyright © 2008 Free Software Foundation.
Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved.
SEE ALSO
The full documentation for gnutls is maintained as a Texinfo manual.
If the info and gnutls programs are properly installed at your site,
the command
info gnutls
should give you access to the complete manual.