[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL
From: |
Tomas Hozza |
Subject: |
Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL |
Date: |
Tue, 8 Jul 2014 04:43:20 -0400 (EDT) |
----- Original Message -----
> On 07/07/14 21:46, Tomas Hozza wrote:
> > Hi.
> >
> > In Fedora we are moving to a system-wide policy of used
> > ciphers. [1] Therefore we need wget to be compiled with other
> > than hard-coded set of ciphers when using OpenSSL.
> >
> > I'm attaching patch adding new configure option
> > --with-openssl-ciphers-list=LIST, which can be used
> > to redefine the ciphers list when compiled with OpenSSL.
> > It can be used only if --with-ssl=openssl. If not
> > defined, the previously used (by wget) ciphers list is used.
> >
> > [1] https://fedoraproject.org/wiki/Changes/CryptoPolicy
> >
> >
> > Regards,
> Hello Tomas,
>
> Thanks for your patch. Some comments:
>
> You are only changing the override for --secure-protocol=pfs
> IMHO this is wrong. --secure-protocol= command line should
> override the system policy.
The system policy in the Fedora change proposal is meant only for
used algorithms, not protocols. The patch IMHO does not change the
behavior in this regard. IOW the --secure-protocol will work as it
did before.
> Additionally I would recommend using just --with-ciphers-list=LIST
> and make it work with either OpenSSL or GnuTLS (but maybe you
> don't need it after all?)
Yes, I know the option is kind of long and not nice. In Fedora we compile
wget against OpenSSL. Initially I wanted to contribute the option you are
suggesting (also for GnuTLS). However the GnuTLS code seems to be too
complicated to me, to do the change in a simple way. Therefore I decided
to go the "only openssl" way. If anyone is willing to help me to make
it work also for GnuTLS, I'll rename it.
> Finally, if you redefine the cipher list on wget code, I think it should
> be noted in the output of
> wget --version
Added in v2 of the patch (attached)
Thanks for the feedback.
Regards,
--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience
PGP: 1D9F3C2D
Red Hat Inc. http://cz.redhat.com
0001-Add-configure-option-with-openssl-ciphers-list-v2.patch
Description: Text Data
- [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/07
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Ángel González, 2014/07/07
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL,
Tomas Hozza <=
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Ruehsen, 2014/07/08
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/08
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Giuseppe Scrivano, 2014/07/08
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Rühsen, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Nikos Mavrogiannopoulos, 2014/07/22
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Petr Pisar, 2014/07/09
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Ruehsen, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Ruehsen, 2014/07/10