[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] wget sets gnutls priority multiple times

From: Tim Ruehsen
Subject: Re: [Bug-wget] wget sets gnutls priority multiple times
Date: Tue, 20 Dec 2016 09:26:20 +0100
User-agent: KMail/5.2.3 (Linux/4.8.0-2-amd64; KDE/5.28.0; x86_64; ; )

On Monday, December 19, 2016 4:09:08 PM CET Nikos Mavrogiannopoulos wrote:
> Hi,
>  While debugging some issue in Fedora [0] I've realized that wget calls
> the gnutls priority functions multiple times, and that confuses gnutls
> on certain cases. In src/gnutls.c wget calls
> gnutls_set_default_priority (session) which sets the default cipher
> priorities according to the system policy. However, at the following
> lines it overwrites that policy in the switch (opt.secure_protocol).
> In particular, when no options are given it enters:
> ```
>     case secure_protocol_auto:
>       err = gnutls_priority_set_direct (session,
> That means that the default policy set above is overwritten. A possible
> fix is attached. That ensures that the priorities are set only once and
> that the default priorities are used when no options are specified (the
> latter is important for Fedora which ensures that
> gnutls_set_default_priority() sets a priority string according to the
> system-wide policies.
> The use of keyword %COMPAT is replaced by calling
> gnutls_session_enable_compatibility_mode().

Thanks, Nikos.

I like the idea of having a system wide TLS/security policy.

But what happens when wget is build with an older version of GnuTLS that 
doesn't disable SSL3.0 by default ? Before your change, these people where 
'save' from using SSL, with your change applied we introduce insecurity by 

Since what version did you disable SSL by default ? We could make a run-time 
version check to explicitly disable SSL then.

Regards, Tim

Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]