[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] please remove SSLv3 from being used until explicitly spec
From: |
Tim Rühsen |
Subject: |
Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified |
Date: |
Thu, 16 Oct 2014 19:01:39 +0200 |
User-agent: |
KMail/4.14.1 (Linux/3.16-2-amd64; KDE/4.14.1; x86_64; ; ) |
Am Donnerstag, 16. Oktober 2014, 14:03:43 schrieb Christoph Anton Mitterer:
> Hi.
>
> Could you please consider to remove SSLv3 (and if not done yet SSLv2 as
> well) from being automatically used, while still leaving users the
> choice to manually enable it (e.g. via --secure-protocol=SSLv2/3).
>
> I think it would be a bad idea to expect that these insecure versions
> are dropped from the SSL backend libs, since they may be retained for
> debugging purposes or people may just use outdated cipher preference
> list.
>
>
> Also, it wget seems to have this --secure-protocol=PFS, which seems a
> bit strange to me, since PFS is not a property of TLS/SSL itself but
> rather the algorithms used.
> Especially, when specifying --secure-protocol=PFS one shouldn't end up
> with SSLv2/3 accidentally :)
Thanks for your input.
We are just discussing that issue (and of course anybody is invited to take
part here on the list).
While we (developers) could change the code in a few minutes, there might be
side effects that we (or others) don't want. At least we need an agreement with
the maintainers on how the optimal strategy looks like.
If you are *really* in a hurry, patch the source yourself.
But I guess the distribution maintainers will provide patches in the next few
days.
How we change the default behaviour of Wget and maybe what additional features
we want to give to the users still needs a bit of polishing.
Regards, Tim
signature.asc
Description: This is a digitally signed message part.
- [Bug-wget] please remove SSLv3 from being used until explicitly specified, Christoph Anton Mitterer, 2014/10/16
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified,
Tim Rühsen <=
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Ángel González, 2014/10/16
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Ángel González, 2014/10/16
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Ángel González, 2014/10/16
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Tim Rühsen, 2014/10/17
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Ángel González, 2014/10/19
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Tim Rühsen, 2014/10/19
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Christoph Anton Mitterer, 2014/10/17
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Tim Rühsen, 2014/10/17
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Christoph Anton Mitterer, 2014/10/17
Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Christoph Anton Mitterer, 2014/10/17