Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL

[Tim Ruehsen]

On Tuesday 08 July 2014 16:14:42 Petr Pisar wrote:
> On Tue, Jul 08, 2014 at 10:00:24AM -0400, Tomas Hozza wrote:
> > I'm afraid this is not suitable for us. We need to be able to define the
> > policy somewhere in /etc, where the user is not able to change it (only
> > the system administrator).
> 
> I hope can also prevent the user from running his own wget executable, or
> ld-preloading modified OpenSSL library, or intercepting open(2) calls to
> provide fake /etc file.
> 
> > Also the main intention to have a single place to set the policy for all
> > system components, therefore wgetrc is not the right place for us.
> 
> What about to change wget to call OPENSSL_config(NULL) instead of setting
> some hard-coded preference string. Then you can teach OpenSSL to load your
> /etc configuration instead of patching each application.
> 
> -- Petr

Tomas intention is to only change the (Wget hard-coded) cipher list for
--secure-protocol=PFS. At least, that's what I understood so far.

Tomas, could you rename the ./configure --with-openssl-ciphers-list=LIST to 
something like --with-PFS-ciphers-list=LIST and rename OPENSSL_CIPHERS_LIST to 
PFS_CIPHERS_LIST ?
I will add the gnutls code in a second patch, though it is very easy - if you 
want to add it:

The current code in gnutsl.c is
      err = gnutls_priority_set_direct (session, "PFS", NULL);
      if (err != GNUTLS_E_SUCCESS)
        /* fallback if PFS is not available */
        err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);

which should simply be replaced by:
#ifdef PFS_CIPHERS_LIST
      err = gnutls_priority_set_direct (session, PFS_CIPHERS_LIST, NULL);
#else
      err = gnutls_priority_set_direct (session, "PFS", NULL);
      if (err != GNUTLS_E_SUCCESS)
        /* fallback if PFS is not available */
        err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
#endif

Tim

signature.asc
Description: This is a digitally signed message part.