[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Wget and Perfect Forward Secrecy

From: Tim Ruehsen
Subject: Re: [Bug-wget] Wget and Perfect Forward Secrecy
Date: Thu, 15 Aug 2013 10:36:09 +0200
User-agent: KMail/4.10.5 (Linux/3.10-2-amd64; KDE/4.10.5; x86_64; ; )

I just found that OpenSSL also has a cipher naming convention:

If Wget is compiled with OpenSSL, the user could use these.
If Wget is compiled with GnuTLS, the user would use GnuTLS option strings.

Maybe a new option like --secure-options=... for expert users would be better 
than recycling --secure-protocol.
wgetrc should have two settings like secureoptionsgnutls and 
secureoptionsopenssl. For when a user changes these settings and than switches 
between wget-gnutls and wget-openssl. E.g. I sometimes do this for debugging 
or bug hunting or for comparing resource usage.

Beside this 'expert' option, there should be a an 'everyones' option to 
force/enable PFS, using --secure-protocol as I already suggested.

Regards, Tim

On Thursday 15 August 2013 09:22:09 Tim Ruehsen wrote:
> Hi,
> the recent discussion about PRISM and privacy in general made more and more
> web service operators enabling the so-called 'Perfect Forward Secrecy'
> (namely enabling Diffie Hellmann key exchange algorithms). For backward
> compatibility they still leave the none-DH (RSA) enabled, so that many
> clients (including Wget) choose these during handshake.
> To have more control over this behaviour, I would like to see the
> possibility for the user to force (or at least prefer) DH key exchange plus
> enabling secure cipher suites (e.g. 256 bit ciphers)
> Or in general more control to the user about SSL/TLS behaviour.
> GnuTLS already has a very user-friendly 'priority' scheme which we could
> open to users with e.g.
> --secure-protocol=gnutls:SECURE128:+SECURE256:-VERS- SSL3.0:-RSA. (Just an
> example how it could be done.)
> To make it easier for users we could also predefine something like --secure-
> protocol=force-pfs that internally maps to 'NORMAL:-VERS-SSL3.0:-RSA'.
> We could later write a wrapper to map GnuTLS priority syntax to OpenSSL API
> calls.
> Distribution maintainers could define a default in /etc/wgetrc
> (secureprotocol=...) as they like.
> Of course there are other ways to achieve the goal. At the moment I prefer
> extending --secure-protocol to not have another option. And second I prefer
> GnuTLS because of it's priority strings and because Wget and GnuTLS both are
> official GNU software.
> What do you think ?
> some references
> http://gnutls.org/manual/html_node/Priority-Strings.html
> http://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html
> https://github.com/ssllabs/research/wiki/Forward-Secrecy
> To play around with priority string (example):
>       $ gnutls-cli --list www.savannah.de --priority NORMAL:-RSA
> To check your server security:
>       https://www.ssllabs.com/ssltest/index.html
> Regards, Tim

reply via email to

[Prev in Thread] Current Thread [Next in Thread]