[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [PATCH] PFS runtime check
From: |
Tim Ruehsen |
Subject: |
Re: [Bug-wget] [PATCH] PFS runtime check |
Date: |
Mon, 09 Sep 2013 10:38:16 +0200 |
User-agent: |
KMail/4.10.5 (Linux/3.10-2-amd64; KDE/4.10.5; x86_64; ; ) |
On Sunday 08 September 2013 11:36:30 Daniel Kahn Gillmor wrote:
> >> Subject: [PATCH] PFS runtime check
> >
> > Thanks, applied now.
>
> thank you both for your quick work.
>
> After sleeping on it, it occurs to me that some of these changes to the
> priority string handling may also end up being backported to older
> versions of gnutls, and wget wouldn't be able to take advantage of them
> directly in that case.
>
> looking at the docs for gnutls_priority_set_direct(), it says:
>
> Returns: On syntax error GNUTLS_E_INVALID_REQUEST is returned,
> GNUTLS_E_SUCCESS on success, or an error code.
>
> I haven't tested (sorry!), but it seems like another approach would be
> to simply invoke gnutls_priority_set_direct(session, "PFS", NULL); and
> if it returns GNUTLS_E_INVALID_REQUEST, then fall back to setting the
> "NORMAL:-RSA" string directly.
>
> Knowing that wget could take advantage of such a feature retroactively
> might even encourage people doing stable/long-term maintenance of older
> versions of GnuTLS to backport this priority string to their stable branch.
I don't think, we need a change. Even if the priority string 'PFS' will be
backported to e.g. libgnutls 3.1.x, you still need a current Wget to use PFS.
And the current Wget falls back to 'NORMAL:-RSA' which is exactly the same
regarding the used ciphers (even the order is the same).
The only reason for using the 'PFS' priority string instead of 'NORMAL:-RSA'
is to enable future changes to PFS ciphers. This is a forward compatibility,
the backward compatibility is given right now.
Of course there could be a future diversion of 'PFS' and 'NORMAL:-RSA' which
is than backported to libgnutls < 3.2.4. But maybe we should talk about this
issue than, or the backporters creates a Wget patch for their system !?
However, here is a patch for your suggestion.
Should Giuseppe decide about it.
> Sorry to keep nit-picking on this; i'm very happy to see this option
> added to wget.
I appreciate your thinking about this in depth.
a bit OT:
Maybe we should advise system maintainers to put
secureprotocol = PFS
into /etc/wgetrc !?
Tim
0001-better-backport-availability-for-PFS-feature.patch
Description: Text Data