[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [PATCH] add PFS (Perfect Forward Security) value to --sec
From: |
Daniel Kahn Gillmor |
Subject: |
Re: [Bug-wget] [PATCH] add PFS (Perfect Forward Security) value to --secure-protocol |
Date: |
Sat, 07 Sep 2013 12:10:39 -0400 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130821 Icedove/17.0.8 |
This is a great contribution -- thanks Tim! one comment below:
On 09/03/2013 05:55 AM, Tim Ruehsen wrote:
> diff --git a/src/gnutls.c b/src/gnutls.c
> index 0499a25..e76a3cc 100644
> --- a/src/gnutls.c
> +++ b/src/gnutls.c
> @@ -442,6 +442,13 @@ ssl_connect_wget (int fd, const char *hostname)
> case secure_protocol_tlsv1:
> err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0",
> NULL);
> break;
> + case secure_protocol_pfs:
> +#if defined (GNUTLS_VERSION_NUMBER) && GNUTLS_VERSION_NUMBER >= 0x030204
> + err = gnutls_priority_set_direct (session, "PFS", NULL);
> +#else
> + err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
> +#endif
> + break;
> default:
> abort ();
> }
The patch above does a compile-time decision about what string to use.
so if the code is compiled against GnuTLS version 3.2.4, it assumes that
"PFS" is a valid priority string.
But since 3.2.4 is SONAME 28, and 3.2.3 (for example) also uses SONAME
28, it seems possible to build against 3.2.4 but link at runtime against
3.2.3, where "PFS" won't be available as a version string.
it might be better to do a runtime check (e.g. using
gnutls_check_version(NULL) >= 0x030204) instead of a compile-time check.
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature
- [Bug-wget] [PATCH] add PFS (Perfect Forward Security) value to --secure-protocol, Tim Ruehsen, 2013/09/03
- Re: [Bug-wget] [PATCH] add PFS (Perfect Forward Security) value to --secure-protocol, Giuseppe Scrivano, 2013/09/07
- Re: [Bug-wget] [PATCH] add PFS (Perfect Forward Security) value to --secure-protocol,
Daniel Kahn Gillmor <=
- Re: [Bug-wget] [PATCH] add PFS (Perfect Forward Security) value to --secure-protocol, Daniel Kahn Gillmor, 2013/09/07
- Re: [Bug-wget] [PATCH] PFS runtime check, Tim Rühsen, 2013/09/07
- Re: [Bug-wget] [PATCH] PFS runtime check, Giuseppe Scrivano, 2013/09/07
- Re: [Bug-wget] [PATCH] PFS runtime check, Daniel Kahn Gillmor, 2013/09/08
- Re: [Bug-wget] [PATCH] PFS runtime check, Tim Ruehsen, 2013/09/09
- Re: [Bug-wget] [PATCH] PFS runtime check, Giuseppe Scrivano, 2013/09/09