I just found that OpenSSL also has a cipher naming convention: http://www.openssl.org/docs/apps/ciphers.html
If Wget is compiled with OpenSSL, the user could use these. If Wget is compiled with GnuTLS, the user would use GnuTLS option strings. Maybe a new option like --secure-options=... for expert users would be better than recycling --secure-protocol. wgetrc should have two settings like secureoptionsgnutls and secureoptionsopenssl. For when a user changes these settings and than switches between wget-gnutls and wget-openssl. E.g. I sometimes do this for debugging or bug hunting or for comparing resource usage. Beside this 'expert' option, there should be a an 'everyones' option to force/enable PFS, using --secure-protocol as I already suggested. Regards, Tim On Thursday 15 August 2013 09:22:09 Tim Ruehsen wrote: > Hi, > > the recent discussion about PRISM and privacy in general made more and more > web service operators enabling the so-called 'Perfect Forward Secrecy' > (namely enabling Diffie Hellmann key exchange algorithms). For backward > compatibility they still leave the none-DH (RSA) enabled, so that many > clients (including Wget) choose these during handshake. > > To have more control over this behaviour, I would like to see the > possibility for the user to force (or at least prefer) DH key exchange plus > enabling secure cipher suites (e.g. 256 bit ciphers) > Or in general more control to the user about SSL/TLS behaviour. > > GnuTLS already has a very user-friendly 'priority' scheme which we could > open to users with e.g. > --secure-protocol=gnutls:SECURE128:+SECURE256:-VERS- SSL3.0:-RSA. (Just an > example how it could be done.) > > To make it easier for users we could also predefine something like --secure- > protocol=force-pfs that internally maps to 'NORMAL:-VERS-SSL3.0:-RSA'. > > We could later write a wrapper to map GnuTLS priority syntax to OpenSSL API > calls. > > Distribution maintainers could define a default in /etc/wgetrc > (secureprotocol=...) as they like. > > Of course there are other ways to achieve the goal. At the moment I prefer > extending --secure-protocol to not have another option. And second I prefer > GnuTLS because of it's priority strings and because Wget and GnuTLS both are > official GNU software. > > What do you think ? > > > some references > http://gnutls.org/manual/html_node/Priority-Strings.html > http://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html > https://github.com/ssllabs/research/wiki/Forward-Secrecy > > To play around with priority string (example): > $ gnutls-cli --list www.savannah.de --priority NORMAL:-RSA > > To check your server security: > https://www.ssllabs.com/ssltest/index.html > > Regards, Tim
