Re: [Bug-wget] [PATCH] PFS runtime check

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] [PATCH] PFS runtime check

From:	Tim Ruehsen
Subject:	Re: [Bug-wget] [PATCH] PFS runtime check
Date:	Mon, 09 Sep 2013 10:38:16 +0200
User-agent:	KMail/4.10.5 (Linux/3.10-2-amd64; KDE/4.10.5; x86_64; ; )

On Sunday 08 September 2013 11:36:30 Daniel Kahn Gillmor wrote:
> >> Subject: [PATCH] PFS runtime check
> > 
> > Thanks, applied now.
> 
> thank you both for your quick work.
> 
> After sleeping on it, it occurs to me that some of these changes to the
> priority string handling may also end up being backported to older
> versions of gnutls, and wget wouldn't be able to take advantage of them
> directly in that case.
> 
> looking at the docs for gnutls_priority_set_direct(), it says:
> 
>   Returns: On syntax error GNUTLS_E_INVALID_REQUEST is returned,
>   GNUTLS_E_SUCCESS on success, or an error code.
> 
> I haven't tested (sorry!), but it seems like another approach would be
> to simply invoke gnutls_priority_set_direct(session, "PFS", NULL); and
> if it returns GNUTLS_E_INVALID_REQUEST, then fall back to setting the
> "NORMAL:-RSA" string directly.
> 
> Knowing that wget could take advantage of such a feature retroactively
> might even encourage people doing stable/long-term maintenance of older
> versions of GnuTLS to backport this priority string to their stable branch.

I don't think, we need a change. Even if the priority string 'PFS' will be 
backported to e.g. libgnutls 3.1.x, you still need a current Wget to use PFS.
And the current Wget falls back to 'NORMAL:-RSA' which is exactly the same 
regarding the used ciphers (even the order is the same).
The only reason for using the 'PFS' priority string instead of 'NORMAL:-RSA' 
is to enable future changes to PFS ciphers. This is a forward compatibility, 
the backward compatibility is given right now.

Of course there could be a future diversion of 'PFS' and 'NORMAL:-RSA' which 
is than backported to libgnutls < 3.2.4. But maybe we should talk about this 
issue than, or the backporters creates a Wget patch for their system !?

However, here is a patch for your suggestion.
Should Giuseppe decide about it.

> Sorry to keep nit-picking on this; i'm very happy to see this option
> added to wget.

I appreciate your thinking about this in depth.

a bit OT:
Maybe we should advise system maintainers to put
        secureprotocol = PFS
into /etc/wgetrc !?

Tim

0001-better-backport-availability-for-PFS-feature.patch
Description: Text Data

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-wget] [PATCH] add PFS (Perfect Forward Security) value to --secure-protocol, Tim Ruehsen, 2013/09/03
- Re: [Bug-wget] [PATCH] add PFS (Perfect Forward Security) value to --secure-protocol, Giuseppe Scrivano, 2013/09/07
- Re: [Bug-wget] [PATCH] add PFS (Perfect Forward Security) value to --secure-protocol, Daniel Kahn Gillmor, 2013/09/07
  - Re: [Bug-wget] [PATCH] add PFS (Perfect Forward Security) value to --secure-protocol, Daniel Kahn Gillmor, 2013/09/07
    - Re: [Bug-wget] [PATCH] PFS runtime check, Tim Rühsen, 2013/09/07
    - Re: [Bug-wget] [PATCH] PFS runtime check, Giuseppe Scrivano, 2013/09/07
    - Re: [Bug-wget] [PATCH] PFS runtime check, Daniel Kahn Gillmor, 2013/09/08
    - Re: [Bug-wget] [PATCH] PFS runtime check, Tim Ruehsen <=
    - Re: [Bug-wget] [PATCH] PFS runtime check, Giuseppe Scrivano, 2013/09/09

Prev by Date: Re: [Bug-wget] .m3u8 url playing with .bat file wget and vlc player
Next by Date: Re: [Bug-wget] [PATCH] PFS runtime check
Previous by thread: Re: [Bug-wget] [PATCH] PFS runtime check
Next by thread: Re: [Bug-wget] [PATCH] PFS runtime check
Index(es):
- Date
- Thread