Hi, Google people found a new attack that affects SSLv3.
see https://www.openssl.org/~bodo/ssl-poodle.pdf http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566 Shortly: there is a design flaw in SSLv3 that implies high security risks. AFAICS, Wget's default SSL protocol is 'auto' which uses (OpenSSL code) case secure_protocol_auto: meth = SSLv23_client_method (); break; or (GnuTLS code) case secure_protocol_auto: break; (means, the libraries defaults are used, whatever that is). Should we break compatibility and map 'auto' to TLSv1 ? For the security of the users. There are only a very few HTTP servers out there, which do not support TLSv1. Or should we let the users/maintainers care for appropriate wgetrc settings ? What do you think ? Tim
signature.asc
Description: This is a digitally signed message part.