Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL

[Tomas Hozza]

----- Original Message -----
> On Tuesday 08 July 2014 04:43:20 Tomas Hozza wrote:
> > ----- Original Message -----
> > 
> > > On 07/07/14 21:46, Tomas Hozza wrote:
> > > > Hi.
> > > > 
> > > > In Fedora we are moving to a system-wide policy of used
> > > > ciphers. [1] Therefore we need wget to be compiled with other
> > > > than hard-coded set of ciphers when using OpenSSL.
> > > > 
> > > > I'm attaching patch adding new configure option
> > > > --with-openssl-ciphers-list=LIST, which can be used
> > > > to redefine the ciphers list when compiled with OpenSSL.
> > > > It can be used only if --with-ssl=openssl. If not
> > > > defined, the previously used (by wget) ciphers list is used.
> > > > 
> > > > [1] https://fedoraproject.org/wiki/Changes/CryptoPolicy
> > > > 
> > > > 
> > > > Regards,
> > > 
> > > Hello Tomas,
> > > 
> > > Thanks for your patch. Some comments:
> > > 
> > > You are only changing the override for --secure-protocol=pfs
> > > IMHO this is wrong. --secure-protocol= command line should
> > > override the system policy.
> > 
> > The system policy in the Fedora change proposal is meant only for
> > used algorithms, not protocols. The patch IMHO does not change the
> > behavior in this regard. IOW the --secure-protocol will work as it
> > did before.
> > 
> > > Additionally I would recommend using just --with-ciphers-list=LIST
> > > and make it work with either OpenSSL or GnuTLS (but maybe you
> > > don't need it after all?)
> > 
> > Yes, I know the option is kind of long and not nice. In Fedora we compile
> > wget against OpenSSL. Initially I wanted to contribute the option you are
> > suggesting (also for GnuTLS). However the GnuTLS code seems to be too
> > complicated to me, to do the change in a simple way. Therefore I decided
> > to go the "only openssl" way. If anyone is willing to help me to make
> > it work also for GnuTLS, I'll rename it.
> 
> I already have kind of this in Mget - I extended --secure-protocol to accept
> priority strings for GnuTLS (I don't have OpenSSL code in there).
>               "      --secure-protocol   Set protocol to be used (auto, SSLv3,
> TLSv1, PFS). (default: auto)\n"
>               "                          Or use GnuTLS priority strings, e.g.
> NORMAL:-VERS-SSL3.0:-RSA\n"
> 
> So I could adapt that to Wget.
> 
> What do you think about extending --secure-protocol and having a runtime
> option instead of a compile time option ? Users could set the system wide
> default value in /etc/wgetrc and people are able to override it through
> ~/.wgetrc or --secure-protocol.

Hi Tim.

I'm afraid this is not suitable for us. We need to be able to define the
policy somewhere in /etc, where the user is not able to change it (only
the system administrator).

Also the main intention to have a single place to set the policy for all
system components, therefore wgetrc is not the right place for us.

Regards,
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.                               http://cz.redhat.com