[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL

From: Ángel González
Subject: Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL
Date: Sat, 12 Jul 2014 23:39:51 +0200
User-agent: Thunderbird

On 11/07/14 10:30, Tomas Hozza wrote:
I think you misunderstood me. My intention was NOT to handle PFS or any other 
specially. The intention is to replace ALL occurrences of hard-coded ciphers 
list strings with value defined when running ./configure.

That's why I don't want to introduce 4 new options, but a single one.
Yes, I think there was some misunderstunding there :)

The problem I see is that your replacing of the hardcoded ciphers may be weakening
the user selection.

Use case:
The user wants to connect securely to godaddy.com by using Perfect Forward Security (PFS),
so he issues:
 wget --secure-protocol=pfs https://www.godaddy.com

Upstream wget:
 As www.godaddy.com doesn't support PFS, the connection fails:
OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Unable to establish SSL connection.

wget with your patch overriding the ciphers:
wget connects to godaddy.com using a RSA key exchange. Two years later, the NSA decrypts
the transaction. ☹

(the three key exchanges seem allowed in the https://fedoraproject.org/wiki/Changes/CryptoPolicy proposal, but even if FUTURE only allowed PFS, the user could be in a machine configured with LEGACY,
and he should be able to force that -or the option disabled…-)

Thus, the hardcoded "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:address@hidden" should not be replaced with "SYSTEM" but something like "SYSTEM:!RC4:!SRP:!PSK:!RSA:address@hidden" or "SYSTEM-PFS"

Best regards

reply via email to

[Prev in Thread] Current Thread [Next in Thread]