consider supporting an AEAD mode which does not require unique nonce
Currently all the AEAD modes we support, require a unique nonce, or in the case of AES-CCM and AES-GCM the algorithm secrecy is lost. Protocols which are stateless (unlike TLS and DTLS), cannot be used safely with such ciphers. There are new AEAD modes that eliminate this limitation, and we should consider adding such a mode to make gnutls useful to such applications. Examples of such modes:
- AEAD_AES_SIV_CMAC used by NTP
Additionally such an AEAD cipher would be a good candidate to replace the current CBC-based ticket encryption.
Edited by Nikos Mavrogiannopoulos