Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL

[Tomas Hozza]

----- Original Message -----
> On Tuesday 08 July 2014 16:14:42 Petr Pisar wrote:
> > On Tue, Jul 08, 2014 at 10:00:24AM -0400, Tomas Hozza wrote:
> > > I'm afraid this is not suitable for us. We need to be able to define the
> > > policy somewhere in /etc, where the user is not able to change it (only
> > > the system administrator).
> > 
> > I hope can also prevent the user from running his own wget executable, or
> > ld-preloading modified OpenSSL library, or intercepting open(2) calls to
> > provide fake /etc file.
> > 
> > > Also the main intention to have a single place to set the policy for all
> > > system components, therefore wgetrc is not the right place for us.
> > 
> > What about to change wget to call OPENSSL_config(NULL) instead of setting
> > some hard-coded preference string. Then you can teach OpenSSL to load your
> > /etc configuration instead of patching each application.
> > 
> > -- Petr
> 
> Tomas intention is to only change the (Wget hard-coded) cipher list for
> --secure-protocol=PFS. At least, that's what I understood so far.

It may seem so, but my intention was to be able to redefine any occurrence of
explicitly hard-coded ciphers priority list. In openssl.c it was only in the
code that was executed if --secure-protocol=PFS was used.

> Tomas, could you rename the ./configure --with-openssl-ciphers-list=LIST to
> something like --with-PFS-ciphers-list=LIST and rename OPENSSL_CIPHERS_LIST
> to
> PFS_CIPHERS_LIST ?
> I will add the gnutls code in a second patch, though it is very easy - if you
> want to add it:
> 
> The current code in gnutsl.c is
>       err = gnutls_priority_set_direct (session, "PFS", NULL);
>       if (err != GNUTLS_E_SUCCESS)
>         /* fallback if PFS is not available */
>         err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
> 
> which should simply be replaced by:
> #ifdef PFS_CIPHERS_LIST
>       err = gnutls_priority_set_direct (session, PFS_CIPHERS_LIST, NULL);
> #else
>       err = gnutls_priority_set_direct (session, "PFS", NULL);
>       if (err != GNUTLS_E_SUCCESS)
>         /* fallback if PFS is not available */
>         err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
> #endif
> 
> Tim

Thank you Tim for the help. I actually renamed the option to --with-ciphers-list
so the defined list will replace all hard-coded ciphers lists regardless if
using GnuTLS or OpenSSL.

The version 3 of the patch is attached.

Regards,
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.                               http://cz.redhat.com

0001-Add-configure-option-with-ciphers-list-v3.patch
Description: Text Data