[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL

From: Tomas Hozza
Subject: Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL
Date: Tue, 8 Jul 2014 04:43:20 -0400 (EDT)

----- Original Message -----
> On 07/07/14 21:46, Tomas Hozza wrote:
> > Hi.
> >
> > In Fedora we are moving to a system-wide policy of used
> > ciphers. [1] Therefore we need wget to be compiled with other
> > than hard-coded set of ciphers when using OpenSSL.
> >
> > I'm attaching patch adding new configure option
> > --with-openssl-ciphers-list=LIST, which can be used
> > to redefine the ciphers list when compiled with OpenSSL.
> > It can be used only if --with-ssl=openssl. If not
> > defined, the previously used (by wget) ciphers list is used.
> >
> > [1] https://fedoraproject.org/wiki/Changes/CryptoPolicy
> >
> >
> > Regards,
> Hello Tomas,
> Thanks for your patch. Some comments:
> You are only changing the override for --secure-protocol=pfs
> IMHO this is wrong. --secure-protocol= command line should
> override the system policy.

The system policy in the Fedora change proposal is meant only for
used algorithms, not protocols. The patch IMHO does not change the
behavior in this regard. IOW the --secure-protocol will work as it
did before.
> Additionally I would recommend using just --with-ciphers-list=LIST
> and make it work with either OpenSSL or GnuTLS (but maybe you
> don't need it after all?)

Yes, I know the option is kind of long and not nice. In Fedora we compile
wget against OpenSSL. Initially I wanted to contribute the option you are
suggesting (also for GnuTLS). However the GnuTLS code seems to be too
complicated to me, to do the change in a simple way. Therefore I decided
to go the "only openssl" way. If anyone is willing to help me to make
it work also for GnuTLS, I'll rename it.

> Finally, if you redefine the cipher list on wget code, I think it should
> be noted in the output of
>   wget --version

Added in v2 of the patch (attached)

Thanks for the feedback.

Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

Red Hat Inc.                               http://cz.redhat.com

Attachment: 0001-Add-configure-option-with-openssl-ciphers-list-v2.patch
Description: Text Data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]