bug-wget
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL


From: Tim Ruehsen
Subject: Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL
Date: Fri, 11 Jul 2014 12:37:29 +0200
User-agent: KMail/4.12.4 (Linux/3.14-1-amd64; KDE/4.13.1; x86_64; ; )

On Friday 11 July 2014 04:30:04 Tomas Hozza wrote:
> ----- Original Message -----
> 
> > On Thursday 10 July 2014 08:37:23 Tomas Hozza wrote:
> > > ----- Original Message -----
> > > 
> > > > On Tuesday 08 July 2014 16:14:42 Petr Pisar wrote:
> > > > > On Tue, Jul 08, 2014 at 10:00:24AM -0400, Tomas Hozza wrote:
> > > > > > I'm afraid this is not suitable for us. We need to be able to
> > > > > > define
> > > > > > the
> > > > > > policy somewhere in /etc, where the user is not able to change it
> > > > > > (only
> > > > > > the system administrator).
> > > > > 
> > > > > I hope can also prevent the user from running his own wget
> > > > > executable,
> > > > > or
> > > > > ld-preloading modified OpenSSL library, or intercepting open(2)
> > > > > calls
> > > > > to
> > > > > provide fake /etc file.
> > > > > 
> > > > > > Also the main intention to have a single place to set the policy
> > > > > > for
> > > > > > all
> > > > > > system components, therefore wgetrc is not the right place for us.
> > > > > 
> > > > > What about to change wget to call OPENSSL_config(NULL) instead of
> > > > > setting
> > > > > some hard-coded preference string. Then you can teach OpenSSL to
> > > > > load
> > > > > your
> > > > > /etc configuration instead of patching each application.
> > > > > 
> > > > > -- Petr
> > > > 
> > > > Tomas intention is to only change the (Wget hard-coded) cipher list
> > > > for
> > > > --secure-protocol=PFS. At least, that's what I understood so far.
> > > 
> > > It may seem so, but my intention was to be able to redefine any
> > > occurrence
> > > of explicitly hard-coded ciphers priority list. In openssl.c it was only
> > > in
> > > the code that was executed if --secure-protocol=PFS was used.
> > 
> > In this case, you should use a name like --with-PFS-ciphers-list=LIST,
> > because
> > you are just changing the PFS hard-coded cipher list. Imagine, we add new
> > -- secure-protocol options with hard-coded values like
> > --secure-protocol=FOO
> > --secure-protocol=BAR
> > 
> > In this case you have to create another patch with
> > ./configure --with-ciphers-list-FOO
> > and
> > ./configure --with-ciphers-list-BAR
> > since the meanings could be very different. This is why I think it makes
> > sense
> > to add 'PFS' to your ./configure option name.
> 
> I think you misunderstood me. My intention was NOT to handle PFS or any
> other method specially. The intention is to replace ALL occurrences of
> hard-coded ciphers priority list strings with value defined when running
> ./configure.
> 
> That's why I don't want to introduce 4 new options, but a single one.

OK, than maybe it is a good idea to just patch OpenSSL code since there is 
just one occurrence of a hard-coded cipher string.
For GnuTLS this is IMHO not the way to go, since you would make --secure-
protocol=... doing simply nothing. There are users of Wget who needs to set 
the protocol (which is wired with ciphers, key exchange method, ... as I wrote 
earlier) for whatever reason.

So either you name the configure option again ...openssl... as you did in your 
first patch, and just patch OpenSSL code.
Or with GnuTLS, we must inform the user about not being able to choose the 
protocol whenever he uses --secure-protocol (command line or config file).

Just patching OpenSSL code would need something like this

#ifdef OPENSSL_CIPHERS_LIST
  /* Redhat request: setting cipher list at compile time
  SSL_CTX_set_cipher_list (ssl_ctx, OPENSSL_CIPHERS_LIST);
#elif
  /* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html
   * Since we want a good protection, we also use HIGH (that excludes MD4 
ciphers and some more)
   */
  if (opt.secure_protocol == secure_protocol_pfs)
    SSL_CTX_set_cipher_list (ssl_ctx, 
"HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:address@hidden");
#endif

So we are basically back to your patch #2 (+ you basically need to add the 
above).

Tim




reply via email to

[Prev in Thread] Current Thread [Next in Thread]