bug-wget
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-wget] cipher_list string when using OpenSSL


From: Jeffrey Walton
Subject: [Bug-wget] cipher_list string when using OpenSSL
Date: Wed, 18 Oct 2017 18:57:36 -0400

Hi Everyone,

I believe this has some room for improvement (from src/openssl.c):

    "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:address@hidden"

I think it would be a good idea to provide a `--cipher_list` option to
allow the user to specify it. It might also be prudent to allow the
string to be specified in `.wgetrc`.

Regarding the default string, its 2017, and this is probably closer to
what should be used by default:

    "HIGH:!aNULL:!RC4:!MD5:!SRP:!PSK:!kRSA"

The "!kRSA" means RSA cannot be used for key exchange (i.e., RSA key
transport), but can be used for digital signatures. MD5 is probably
another algorithm that should be sunsetted at this point in time
(though I am not aware of a HMAC/MD5 attack that can be carried out in
TCP's 2MSL re-transmit time frame).

I use the same cipher_list on the servers under my control. I've never
received a complaint from them. They cipher_list also helps get one of
those A+ reports from the various SSL scanners.

Jeff



reply via email to

[Prev in Thread] Current Thread [Next in Thread]