I just found that OpenSSL also has a cipher naming convention:
http://www.openssl.org/docs/apps/ciphers.html
If Wget is compiled with OpenSSL, the user could use these.
If Wget is compiled with GnuTLS, the user would use GnuTLS option strings.
Maybe a new option like --secure-options=... for expert users would be better
than recycling --secure-protocol.
wgetrc should have two settings like secureoptionsgnutls and
secureoptionsopenssl. For when a user changes these settings and than switches
between wget-gnutls and wget-openssl. E.g. I sometimes do this for debugging
or bug hunting or for comparing resource usage.
Beside this 'expert' option, there should be a an 'everyones' option to
force/enable PFS, using --secure-protocol as I already suggested.
Regards, Tim