[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] cipher_list string when using OpenSSL

From: Tim Rühsen
Subject: Re: [Bug-wget] cipher_list string when using OpenSSL
Date: Thu, 19 Oct 2017 11:35:59 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0

Hi Jeffrey,

thanks for heads up !

Does OpenSSL meanwhile have a PFS for their cipher list ?

Currently it looks like that each and every client has to amend their
cipher list from time to time. Instead, this should be done in the
library. So that new versions automatically make the client code more
secure. GnuTLS does it.

That's one reason why we (wget developers) already discussed about
dropping OpenSSL support completely. The background is that the OpenSSL
code in Wget has no maintainer. We take (small) patches every now and
then but there is no expert here for review or active progress.

Having your random seeding issue in mind, there seems to be even more
reasons to drop that OpenSSL code.

If there is someone here who wants to maintain the OpenSSL code of Wget
- you are very welcome (Let us know) ! In the meantime I'll ask the
other maintainers about their opinion.

With Best Regards, Tim

On 10/19/2017 12:57 AM, Jeffrey Walton wrote:
> Hi Everyone,
> I believe this has some room for improvement (from src/openssl.c):
>     "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:address@hidden"
> I think it would be a good idea to provide a `--cipher_list` option to
> allow the user to specify it. It might also be prudent to allow the
> string to be specified in `.wgetrc`.
> Regarding the default string, its 2017, and this is probably closer to
> what should be used by default:
>     "HIGH:!aNULL:!RC4:!MD5:!SRP:!PSK:!kRSA"
> The "!kRSA" means RSA cannot be used for key exchange (i.e., RSA key
> transport), but can be used for digital signatures. MD5 is probably
> another algorithm that should be sunsetted at this point in time
> (though I am not aware of a HMAC/MD5 attack that can be carried out in
> TCP's 2MSL re-transmit time frame).
> I use the same cipher_list on the servers under my control. I've never
> received a complaint from them. They cipher_list also helps get one of
> those A+ reports from the various SSL scanners.
> Jeff

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]