[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL
From: |
Ángel González |
Subject: |
Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL |
Date: |
Sat, 12 Jul 2014 23:39:51 +0200 |
User-agent: |
Thunderbird |
On 11/07/14 10:30, Tomas Hozza wrote:
I think you misunderstood me. My intention was NOT to handle PFS or any other
method
specially. The intention is to replace ALL occurrences of hard-coded ciphers
priority
list strings with value defined when running ./configure.
That's why I don't want to introduce 4 new options, but a single one.
Yes, I think there was some misunderstunding there :)
The problem I see is that your replacing of the hardcoded ciphers may be
weakening
the user selection.
Use case:
The user wants to connect securely to godaddy.com by using Perfect
Forward Security (PFS),
so he issues:
wget --secure-protocol=pfs https://www.godaddy.com
Upstream wget:
As www.godaddy.com doesn't support PFS, the connection fails:
OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure
Unable to establish SSL connection.
wget with your patch overriding the ciphers:
wget connects to godaddy.com using a RSA key exchange. Two years
later, the NSA decrypts
the transaction. ☹
(the three key exchanges seem allowed in the
https://fedoraproject.org/wiki/Changes/CryptoPolicy
proposal, but even if FUTURE only allowed PFS, the user could be in a
machine configured with LEGACY,
and he should be able to force that -or the option disabled…-)
Thus, the hardcoded "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:address@hidden"
should not be replaced
with "SYSTEM" but something like
"SYSTEM:!RC4:!SRP:!PSK:!RSA:address@hidden" or "SYSTEM-PFS"
Best regards
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, (continued)
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Petr Pisar, 2014/07/09
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Ruehsen, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Ruehsen, 2014/07/10
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/11
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tim Ruehsen, 2014/07/11
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/11
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL,
Ángel González <=
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Giuseppe Scrivano, 2014/07/15
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/17
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Giuseppe Scrivano, 2014/07/17
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Ángel González, 2014/07/18
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Darshit Shah, 2014/07/19
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/21
- Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL, Tomas Hozza, 2014/07/21