bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] [PATCH] add PFS (Perfect Forward Security) value to --sec

From: Daniel Kahn Gillmor
Subject: Re: [Bug-wget] [PATCH] add PFS (Perfect Forward Security) value to --secure-protocol
Date: Sat, 07 Sep 2013 12:10:39 -0400
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130821 Icedove/17.0.8 
This is a great contribution -- thanks Tim!  one comment below:

On 09/03/2013 05:55 AM, Tim Ruehsen wrote:
> diff --git a/src/gnutls.c b/src/gnutls.c
> index 0499a25..e76a3cc 100644
> --- a/src/gnutls.c
> +++ b/src/gnutls.c
> @@ -442,6 +442,13 @@ ssl_connect_wget (int fd, const char *hostname)
>      case secure_protocol_tlsv1:
>        err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0", 
> NULL);
>        break;
> +    case secure_protocol_pfs:
> +#if defined (GNUTLS_VERSION_NUMBER) &&  GNUTLS_VERSION_NUMBER >= 0x030204
> +      err = gnutls_priority_set_direct (session, "PFS", NULL);
> +#else
> +      err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
> +#endif
> +      break;
>      default:
>        abort ();
>      }

The patch above does a compile-time decision about what string to use.
so if the code is compiled against GnuTLS version 3.2.4, it assumes that
"PFS" is a valid priority string.

But since 3.2.4 is SONAME 28, and 3.2.3 (for example) also uses SONAME
28, it seems possible to build against 3.2.4 but link at runtime against
3.2.3, where "PFS" won't be available as a version string.

it might be better to do a runtime check (e.g. using
gnutls_check_version(NULL) >= 0x030204) instead of a compile-time check.

Regards,

        --dkg

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]