On Tuesday 08 July 2014 04:43:20 Tomas Hozza wrote: > ----- Original Message ----- > > > On 07/07/14 21:46, Tomas Hozza wrote: > > > Hi. > > > > > > In Fedora we are moving to a system-wide policy of used > > > ciphers. [1] Therefore we need wget to be compiled with other > > > than hard-coded set of ciphers when using OpenSSL. > > > > > > I'm attaching patch adding new configure option > > > --with-openssl-ciphers-list=LIST, which can be used > > > to redefine the ciphers list when compiled with OpenSSL. > > > It can be used only if --with-ssl=openssl. If not > > > defined, the previously used (by wget) ciphers list is used. > > > > > > [1] https://fedoraproject.org/wiki/Changes/CryptoPolicy > > > > > > > > > Regards, > > > > Hello Tomas, > > > > Thanks for your patch. Some comments: > > > > You are only changing the override for --secure-protocol=pfs > > IMHO this is wrong. --secure-protocol= command line should > > override the system policy. > > The system policy in the Fedora change proposal is meant only for > used algorithms, not protocols. The patch IMHO does not change the > behavior in this regard. IOW the --secure-protocol will work as it > did before. > > > Additionally I would recommend using just --with-ciphers-list=LIST > > and make it work with either OpenSSL or GnuTLS (but maybe you > > don't need it after all?) > > Yes, I know the option is kind of long and not nice. In Fedora we compile > wget against OpenSSL. Initially I wanted to contribute the option you are > suggesting (also for GnuTLS). However the GnuTLS code seems to be too > complicated to me, to do the change in a simple way. Therefore I decided > to go the "only openssl" way. If anyone is willing to help me to make > it work also for GnuTLS, I'll rename it.
I already have kind of this in Mget - I extended --secure-protocol to accept priority strings for GnuTLS (I don't have OpenSSL code in there). " --secure-protocol Set protocol to be used (auto, SSLv3, TLSv1, PFS). (default: auto)\n" " Or use GnuTLS priority strings, e.g. NORMAL:-VERS-SSL3.0:-RSA\n" So I could adapt that to Wget. What do you think about extending --secure-protocol and having a runtime option instead of a compile time option ? Users could set the system wide default value in /etc/wgetrc and people are able to override it through ~/.wgetrc or --secure-protocol. Tim