[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL
From: |
Tomas Hozza |
Subject: |
Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL |
Date: |
Tue, 8 Jul 2014 10:00:24 -0400 (EDT) |
----- Original Message -----
> On Tuesday 08 July 2014 04:43:20 Tomas Hozza wrote:
> > ----- Original Message -----
> >
> > > On 07/07/14 21:46, Tomas Hozza wrote:
> > > > Hi.
> > > >
> > > > In Fedora we are moving to a system-wide policy of used
> > > > ciphers. [1] Therefore we need wget to be compiled with other
> > > > than hard-coded set of ciphers when using OpenSSL.
> > > >
> > > > I'm attaching patch adding new configure option
> > > > --with-openssl-ciphers-list=LIST, which can be used
> > > > to redefine the ciphers list when compiled with OpenSSL.
> > > > It can be used only if --with-ssl=openssl. If not
> > > > defined, the previously used (by wget) ciphers list is used.
> > > >
> > > > [1] https://fedoraproject.org/wiki/Changes/CryptoPolicy
> > > >
> > > >
> > > > Regards,
> > >
> > > Hello Tomas,
> > >
> > > Thanks for your patch. Some comments:
> > >
> > > You are only changing the override for --secure-protocol=pfs
> > > IMHO this is wrong. --secure-protocol= command line should
> > > override the system policy.
> >
> > The system policy in the Fedora change proposal is meant only for
> > used algorithms, not protocols. The patch IMHO does not change the
> > behavior in this regard. IOW the --secure-protocol will work as it
> > did before.
> >
> > > Additionally I would recommend using just --with-ciphers-list=LIST
> > > and make it work with either OpenSSL or GnuTLS (but maybe you
> > > don't need it after all?)
> >
> > Yes, I know the option is kind of long and not nice. In Fedora we compile
> > wget against OpenSSL. Initially I wanted to contribute the option you are
> > suggesting (also for GnuTLS). However the GnuTLS code seems to be too
> > complicated to me, to do the change in a simple way. Therefore I decided
> > to go the "only openssl" way. If anyone is willing to help me to make
> > it work also for GnuTLS, I'll rename it.
>
> I already have kind of this in Mget - I extended --secure-protocol to accept
> priority strings for GnuTLS (I don't have OpenSSL code in there).
> " --secure-protocol Set protocol to be used (auto, SSLv3,
> TLSv1, PFS). (default: auto)\n"
> " Or use GnuTLS priority strings, e.g.
> NORMAL:-VERS-SSL3.0:-RSA\n"
>
> So I could adapt that to Wget.
>
> What do you think about extending --secure-protocol and having a runtime
> option instead of a compile time option ? Users could set the system wide
> default value in /etc/wgetrc and people are able to override it through
> ~/.wgetrc or --secure-protocol.
Hi Tim.
I'm afraid this is not suitable for us. We need to be able to define the
policy somewhere in /etc, where the user is not able to change it (only
the system administrator).
Also the main intention to have a single place to set the policy for all
system components, therefore wgetrc is not the right place for us.
Regards,
--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience
PGP: 1D9F3C2D
Red Hat Inc. http://cz.redhat.com
- [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/07
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Ángel González, 2014/07/07
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/08
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Ruehsen, 2014/07/08
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL,
Tomas Hozza <=
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Giuseppe Scrivano, 2014/07/08
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Rühsen, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Nikos Mavrogiannopoulos, 2014/07/22
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Petr Pisar, 2014/07/09
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Ruehsen, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Ruehsen, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/11
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Ruehsen, 2014/07/11