[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16
|
From: |
Tim Ruehsen |
|
Subject: |
Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16 |
|
Date: |
Wed, 17 Dec 2014 12:42:59 +0100 |
|
User-agent: |
KMail/4.14.2 (Linux/3.16.0-4-amd64; KDE/4.14.2; x86_64; ; ) |
On Friday 05 December 2014 18:12:59 Jérémie Courrèges-Anglas wrote:
> Hi,
>
> Tim Rühsen <address@hidden> writes:
> > Am Mittwoch, 3. Dezember 2014, 12:36:33 schrieb Jérémie Courrèges-Anglas:
> >> Hi,
> >>
> >> Giuseppe Scrivano <address@hidden> writes:
> >>
> >> [...]
> >>
> >> > we should also hide --rand-egd from wget --help and do not accept this
> >> > option when HAVE_RAND_EGD is not set.
> >>
> >> I thought about that and took the lazy approach: the option is still
> >> available even if gnutls is used, even though it's a nop. Why then
> >> change the interface if libressl is used instead of openssl/gnutls?
> >>
> >> Or maybe this was merely overlooked and openssl should really be
> >> a special case here, dunno.
> >
> > IMHO, we should accept --rand-egd to not introduce regressions.
> > But instead of silently ignoring the users demand, we should print a
> > warning about the LibreSSL/RAND_egd() issue.
>
> LibreSSL doesn't have any issue wrt RAND_egd(). This function was
> deleted on purpose.
>
> > Maybe saying, that a modern /dev/random
> > is more secure than the EGD ?
> >
> > It would not be nice if someone loses security without being warned.
>
> LibreSSL users won't lose anything. LibreSSL does the right thing wrt
> RNG initialization, consumer applications don't need to mess with this.
>
> If you *really* want to print a warning message for LibreSSL users
> please make it rude. :)
>
> >> Or... another alternative would be to get rid of RAND_egd altogether,
> >> with --egd-file staying for compat for a few releases. :)
> >
> > The question here is, where and in which way is EGD still useful !?
> > Maybe it is already obsolete on very most systems ?
> > We should keep this in mind for 1.17+.
>
> Looking at the openssl code, it looks like egd is automatically queried
> - since 2001 - if /dev/*random didn't return enough bytes. See
> rand_unix.c
>
> Your call... I wouldn't bother about that stuff in your place.
Thanks for your contribution.
I pushed your patch together with some little changes around it (different
commits).
Tim
signature.asc
Description: This is a digitally signed message part.
- [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Jérémie Courrèges-Anglas, 2014/12/02
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Tim Ruehsen, 2014/12/02
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Darshit Shah, 2014/12/02
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Jérémie Courrèges-Anglas, 2014/12/02
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Darshit Shah, 2014/12/02
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Giuseppe Scrivano, 2014/12/03
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Jérémie Courrèges-Anglas, 2014/12/03
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Tim Rühsen, 2014/12/03
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Tim Ruehsen, 2014/12/04
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Jérémie Courrèges-Anglas, 2014/12/05
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16,
Tim Ruehsen <=
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Jérémie Courrèges-Anglas, 2014/12/17