On Sunday 08 September 2013 11:36:30 Daniel Kahn Gillmor wrote:
> >> Subject: [PATCH] PFS runtime check
> >
> > Thanks, applied now.
>
> thank you both for your quick work.
>
> After sleeping on it, it occurs to me that some of these changes to the
> priority string handling may also end up being backported to older
> versions of gnutls, and wget wouldn't be able to take advantage of them
> directly in that case.
>
> looking at the docs for gnutls_priority_set_direct(), it says:
>
> Returns: On syntax error GNUTLS_E_INVALID_REQUEST is returned,
> GNUTLS_E_SUCCESS on success, or an error code.
>
> I haven't tested (sorry!), but it seems like another approach would be
> to simply invoke gnutls_priority_set_direct(session, "PFS", NULL); and
> if it returns GNUTLS_E_INVALID_REQUEST, then fall back to setting the
> "NORMAL:-RSA" string directly.
>
> Knowing that wget could take advantage of such a feature retroactively
> might even encourage people doing stable/long-term maintenance of older
> versions of GnuTLS to backport this priority string to their stable branch.
I don't think, we need a change. Even if the priority string 'PFS' will be
backported to e.g. libgnutls 3.1.x, you still need a current Wget to use PFS.
And the current Wget falls back to 'NORMAL:-RSA' which is exactly the same
regarding the used ciphers (even the order is the same).
The only reason for using the 'PFS' priority string instead of 'NORMAL:-RSA'
is to enable future changes to PFS ciphers. This is a forward compatibility,
the backward compatibility is given right now.
Of course there could be a future diversion of 'PFS' and 'NORMAL:-RSA' which
is than backported to libgnutls < 3.2.4. But maybe we should talk about this
issue than, or the backporters creates a Wget patch for their system !?
However, here is a patch for your suggestion.
Should Giuseppe decide about it.
> Sorry to keep nit-picking on this; i'm very happy to see this option
> added to wget.
I appreciate your thinking about this in depth.
a bit OT:
Maybe we should advise system maintainers to put
secureprotocol = PFS
into /etc/wgetrc !?
Tim
>From 19f2947395f5c73c986f993c2b2f570ebe06b3cb Mon Sep 17 00:00:00 2001
From: Tim Ruehsen <[email protected]>
Date: Mon, 9 Sep 2013 10:36:09 +0200
Subject: [PATCH] better backport availability for PFS feature
---
src/ChangeLog | 6 ++++++
src/gnutls.c | 6 +++---
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/ChangeLog b/src/ChangeLog
index 787c9c6..ed8ebef 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,9 @@
+2013-09-09 Tim Ruehsen <[email protected]>
+
+ * gnutls.c (ssl_connect_wget): changed checking of option "PFS"
+ to be better prepared for some kinds of backports.
+ Reported by: Daniel Kahn Gillmor <[email protected]>
+
2013-09-07 Tim Ruehsen <[email protected]>
* gnutls.c (ssl_connect_wget): use gnutls_check_version()
diff --git a/src/gnutls.c b/src/gnutls.c
index 94dfaed..9b4b1ec 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -443,9 +443,9 @@ ssl_connect_wget (int fd, const char *hostname)
err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0", NULL);
break;
case secure_protocol_pfs:
- if (gnutls_check_version("3.2.4"))
- err = gnutls_priority_set_direct (session, "PFS", NULL);
- else
+ err = gnutls_priority_set_direct (session, "PFS", NULL);
+ if (err != GNUTLS_E_SUCCESS)
+ /* fallback if PFS is not available */
err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
break;
default:
--
1.8.4.rc3
