[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL
|
From: |
Tim Ruehsen |
|
Subject: |
Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL |
|
Date: |
Tue, 08 Jul 2014 12:06:43 +0200 |
|
User-agent: |
KMail/4.12.4 (Linux/3.14-1-amd64; KDE/4.13.1; x86_64; ; ) |
On Tuesday 08 July 2014 04:43:20 Tomas Hozza wrote:
> ----- Original Message -----
>
> > On 07/07/14 21:46, Tomas Hozza wrote:
> > > Hi.
> > >
> > > In Fedora we are moving to a system-wide policy of used
> > > ciphers. [1] Therefore we need wget to be compiled with other
> > > than hard-coded set of ciphers when using OpenSSL.
> > >
> > > I'm attaching patch adding new configure option
> > > --with-openssl-ciphers-list=LIST, which can be used
> > > to redefine the ciphers list when compiled with OpenSSL.
> > > It can be used only if --with-ssl=openssl. If not
> > > defined, the previously used (by wget) ciphers list is used.
> > >
> > > [1] https://fedoraproject.org/wiki/Changes/CryptoPolicy
> > >
> > >
> > > Regards,
> >
> > Hello Tomas,
> >
> > Thanks for your patch. Some comments:
> >
> > You are only changing the override for --secure-protocol=pfs
> > IMHO this is wrong. --secure-protocol= command line should
> > override the system policy.
>
> The system policy in the Fedora change proposal is meant only for
> used algorithms, not protocols. The patch IMHO does not change the
> behavior in this regard. IOW the --secure-protocol will work as it
> did before.
>
> > Additionally I would recommend using just --with-ciphers-list=LIST
> > and make it work with either OpenSSL or GnuTLS (but maybe you
> > don't need it after all?)
>
> Yes, I know the option is kind of long and not nice. In Fedora we compile
> wget against OpenSSL. Initially I wanted to contribute the option you are
> suggesting (also for GnuTLS). However the GnuTLS code seems to be too
> complicated to me, to do the change in a simple way. Therefore I decided
> to go the "only openssl" way. If anyone is willing to help me to make
> it work also for GnuTLS, I'll rename it.
I already have kind of this in Mget - I extended --secure-protocol to accept
priority strings for GnuTLS (I don't have OpenSSL code in there).
" --secure-protocol Set protocol to be used (auto,
SSLv3,
TLSv1, PFS). (default: auto)\n"
" Or use GnuTLS priority strings, e.g.
NORMAL:-VERS-SSL3.0:-RSA\n"
So I could adapt that to Wget.
What do you think about extending --secure-protocol and having a runtime
option instead of a compile time option ? Users could set the system wide
default value in /etc/wgetrc and people are able to override it through
~/.wgetrc or --secure-protocol.
Tim
- [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/07
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Ángel González, 2014/07/07
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/08
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL,
Tim Ruehsen <=
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/08
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Giuseppe Scrivano, 2014/07/08
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Rühsen, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Nikos Mavrogiannopoulos, 2014/07/22
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Petr Pisar, 2014/07/09
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Ruehsen, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Ruehsen, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/11