[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] [PATCH] PFS runtime check

From: Tim Ruehsen
Subject: Re: [Bug-wget] [PATCH] PFS runtime check
Date: Mon, 09 Sep 2013 10:38:16 +0200
User-agent: KMail/4.10.5 (Linux/3.10-2-amd64; KDE/4.10.5; x86_64; ; )

On Sunday 08 September 2013 11:36:30 Daniel Kahn Gillmor wrote:
> >> Subject: [PATCH] PFS runtime check
> > 
> > Thanks, applied now.
> thank you both for your quick work.
> After sleeping on it, it occurs to me that some of these changes to the
> priority string handling may also end up being backported to older
> versions of gnutls, and wget wouldn't be able to take advantage of them
> directly in that case.
> looking at the docs for gnutls_priority_set_direct(), it says:
>   Returns: On syntax error GNUTLS_E_INVALID_REQUEST is returned,
>   GNUTLS_E_SUCCESS on success, or an error code.
> I haven't tested (sorry!), but it seems like another approach would be
> to simply invoke gnutls_priority_set_direct(session, "PFS", NULL); and
> if it returns GNUTLS_E_INVALID_REQUEST, then fall back to setting the
> "NORMAL:-RSA" string directly.
> Knowing that wget could take advantage of such a feature retroactively
> might even encourage people doing stable/long-term maintenance of older
> versions of GnuTLS to backport this priority string to their stable branch.

I don't think, we need a change. Even if the priority string 'PFS' will be 
backported to e.g. libgnutls 3.1.x, you still need a current Wget to use PFS.
And the current Wget falls back to 'NORMAL:-RSA' which is exactly the same 
regarding the used ciphers (even the order is the same).
The only reason for using the 'PFS' priority string instead of 'NORMAL:-RSA' 
is to enable future changes to PFS ciphers. This is a forward compatibility, 
the backward compatibility is given right now.

Of course there could be a future diversion of 'PFS' and 'NORMAL:-RSA' which 
is than backported to libgnutls < 3.2.4. But maybe we should talk about this 
issue than, or the backporters creates a Wget patch for their system !?

However, here is a patch for your suggestion.
Should Giuseppe decide about it.

> Sorry to keep nit-picking on this; i'm very happy to see this option
> added to wget.

I appreciate your thinking about this in depth.

a bit OT:
Maybe we should advise system maintainers to put
        secureprotocol = PFS
into /etc/wgetrc !?


Attachment: 0001-better-backport-availability-for-PFS-feature.patch
Description: Text Data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]