On 08/21/2013 10:45 AM, Tim Ruehsen wrote: > 1. --secure-protocol=PFS (or whatever we agree on) for "everyone" (users that > have no or not enough knowledge about GnuTLS/OpenSSL option strings). > As the other --secure-protocol types (like e.g. 'auto'), this would map to a > fixed option string.
if what if a user wanted to both (a) negotiate PFS and (b) exclude SSLv2
and SSLv3 ? Could they do that using --secure-protocol or would they
need to graduate to fancier configurations?
> 2. (to be discussed) --gnutls-options=<GnuTLS option string> and/or --openssl-
> options=<OpenSSL option string> for "experts". Here you can give your own
> idea
> of an option string. You can put these into /etc/wgetrc or ~/.wgetrc as
> default and override them via command line whenever the need arises.
If wget offers both 1 and 2, how would the two options interact if used
together?
I'm asking these questions to try to illuminate what i think are the
corner cases of the ideas, not because i think the ideas are bad ideas.
i like them both, and want to see them work sensibly :)
> I guess your suggestion of an --https-only mode fits into the current
> security
> discussion and I like it. I am pretty sure, people will use it.
>
> I would like to wait another week or so for feedback before I start creating
> a
> patch (for my two points above). Are you going to implement --https-only ?
i'm afraid i don't have time to implement --https-only in the forseeable
future, sorry :(
--dkg
signature.asc
Description: OpenPGP digital signature
