bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] please remove SSLv3 from being used until explicitly spec

From: Tim Rühsen
Subject: Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified
Date: Thu, 16 Oct 2014 19:01:39 +0200
User-agent: KMail/4.14.1 (Linux/3.16-2-amd64; KDE/4.14.1; x86_64; ; ) 
Am Donnerstag, 16. Oktober 2014, 14:03:43 schrieb Christoph Anton Mitterer:
> Hi.
> 
> Could you please consider to remove SSLv3 (and if not done yet SSLv2 as
> well) from being automatically used, while still leaving users the
> choice to manually enable it (e.g. via --secure-protocol=SSLv2/3).
> 
> I think it would be a bad idea to expect that these insecure versions
> are dropped from the SSL backend libs, since they may be retained for
> debugging purposes or people may just use outdated cipher preference
> list.
> 
> 
> Also, it wget seems to have this --secure-protocol=PFS, which seems a
> bit strange to me, since PFS is not a property of TLS/SSL itself but
> rather the algorithms used.
> Especially, when specifying --secure-protocol=PFS one shouldn't end up
> with SSLv2/3 accidentally :)

Thanks for your input.

We are just discussing that issue (and of course anybody is invited to take 
part here on the list).

While we (developers) could change the code in a few minutes, there might be 
side effects that we (or others) don't want. At least we need an agreement with 
the maintainers on how the optimal strategy looks like.

If you are *really* in a hurry, patch the source yourself.
But I guess the distribution maintainers will provide patches in the next few 
days.

How we change the default behaviour of Wget and maybe what additional features 
we want to give to the users still needs a bit of polishing.

Regards, Tim

Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to
[Prev in Thread] Current Thread [Next in Thread]