[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL
From: |
Tomas Hozza |
Subject: |
Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL |
Date: |
Thu, 10 Jul 2014 08:37:23 -0400 (EDT) |
----- Original Message -----
> On Tuesday 08 July 2014 16:14:42 Petr Pisar wrote:
> > On Tue, Jul 08, 2014 at 10:00:24AM -0400, Tomas Hozza wrote:
> > > I'm afraid this is not suitable for us. We need to be able to define the
> > > policy somewhere in /etc, where the user is not able to change it (only
> > > the system administrator).
> >
> > I hope can also prevent the user from running his own wget executable, or
> > ld-preloading modified OpenSSL library, or intercepting open(2) calls to
> > provide fake /etc file.
> >
> > > Also the main intention to have a single place to set the policy for all
> > > system components, therefore wgetrc is not the right place for us.
> >
> > What about to change wget to call OPENSSL_config(NULL) instead of setting
> > some hard-coded preference string. Then you can teach OpenSSL to load your
> > /etc configuration instead of patching each application.
> >
> > -- Petr
>
> Tomas intention is to only change the (Wget hard-coded) cipher list for
> --secure-protocol=PFS. At least, that's what I understood so far.
It may seem so, but my intention was to be able to redefine any occurrence of
explicitly hard-coded ciphers priority list. In openssl.c it was only in the
code that was executed if --secure-protocol=PFS was used.
> Tomas, could you rename the ./configure --with-openssl-ciphers-list=LIST to
> something like --with-PFS-ciphers-list=LIST and rename OPENSSL_CIPHERS_LIST
> to
> PFS_CIPHERS_LIST ?
> I will add the gnutls code in a second patch, though it is very easy - if you
> want to add it:
>
> The current code in gnutsl.c is
> err = gnutls_priority_set_direct (session, "PFS", NULL);
> if (err != GNUTLS_E_SUCCESS)
> /* fallback if PFS is not available */
> err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
>
> which should simply be replaced by:
> #ifdef PFS_CIPHERS_LIST
> err = gnutls_priority_set_direct (session, PFS_CIPHERS_LIST, NULL);
> #else
> err = gnutls_priority_set_direct (session, "PFS", NULL);
> if (err != GNUTLS_E_SUCCESS)
> /* fallback if PFS is not available */
> err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
> #endif
>
> Tim
Thank you Tim for the help. I actually renamed the option to --with-ciphers-list
so the defined list will replace all hard-coded ciphers lists regardless if
using GnuTLS or OpenSSL.
The version 3 of the patch is attached.
Regards,
--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience
PGP: 1D9F3C2D
Red Hat Inc. http://cz.redhat.com
0001-Add-configure-option-with-ciphers-list-v3.patch
Description: Text Data
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, (continued)
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Ángel González, 2014/07/07
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/08
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Ruehsen, 2014/07/08
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/08
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Giuseppe Scrivano, 2014/07/08
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Rühsen, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Nikos Mavrogiannopoulos, 2014/07/22
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Petr Pisar, 2014/07/09
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Ruehsen, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL,
Tomas Hozza <=
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Ruehsen, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/11
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Ruehsen, 2014/07/11
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/11
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Ángel González, 2014/07/12
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Giuseppe Scrivano, 2014/07/15
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/17
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Giuseppe Scrivano, 2014/07/17
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Ángel González, 2014/07/18
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Darshit Shah, 2014/07/19