[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] SSL Poodle attack
|
From: |
Tim Rühsen |
|
Subject: |
Re: [Bug-wget] SSL Poodle attack |
|
Date: |
Wed, 15 Oct 2014 21:10:15 +0200 |
|
User-agent: |
KMail/4.14.1 (Linux/3.16-2-amd64; KDE/4.14.1; x86_64; ; ) |
Am Mittwoch, 15. Oktober 2014, 13:45:18 schrieb Petr Pisar:
> On Wed, Oct 15, 2014 at 11:57:47AM +0200, Tim Rühsen wrote:
> > (means, the libraries defaults are used, whatever that is).
> >
> > Should we break compatibility and map 'auto' to TLSv1 ?
> > For the security of the users.
>
> Please no. Instead of changing each TLS program, one should patch only the
> TLS library. This is the reason why why have shared libraries.
>
> So just report the issue to your vendor, he will fix few TSL implementations
> he delivers and all application will get fixed automatically.
Hi Petr,
I tried to make clear that Wget *explicitely* asks for SSLv2 and SSLv3 in the
default configuration when compiled with OpenSSL. Whatever the OpenSSL library
vendor is doing... it won't affect Wget in this case. So with your attitude,
you won't ever be safe ever from Poodle (I guess).
And again my question: should we change the default behaviour of future
versions of Wget ?
With other words: since we know, the library vendor wouldn't help in the above
case, what can we do to secure Wget ?
Tim
signature.asc
Description: This is a digitally signed message part.
- [Bug-wget] SSL Poodle attack, Tim Rühsen, 2014/10/15
- Re: [Bug-wget] SSL Poodle attack, Petr Pisar, 2014/10/15
- Re: [Bug-wget] SSL Poodle attack,
Tim Rühsen <=
- Re: [Bug-wget] SSL Poodle attack, Tim Rühsen, 2014/10/16
- [Bug-wget] [PATCH] V2 removed 'auto' SSLv3 also from OpenSSL code, Tim Rühsen, 2014/10/16
- Re: [Bug-wget] [PATCH] V2 removed 'auto' SSLv3 also from OpenSSL code, Giuseppe Scrivano, 2014/10/19
- Re: [Bug-wget] [PATCH] V2 removed 'auto' SSLv3 also from OpenSSL code, Tim Rühsen, 2014/10/19