On 10/15/2014 03:10 PM, Tim Rühsen wrote: > I tried to make clear that Wget *explicitely* asks for SSLv2 and SSLv3 in the > default configuration when compiled with OpenSSL. Whatever the OpenSSL > library > vendor is doing... it won't affect Wget in this case. So with your attitude, > you won't ever be safe ever from Poodle (I guess). > > And again my question: should we change the default behaviour of future > versions of Wget ? > With other words: since we know, the library vendor wouldn't help in the > above > case, what can we do to secure Wget ?
hm, i think Tim is on to something here: by default, wget should use the default ciphersuites and protocol versions selected by the TLS library. Tweaking the default choices in wget itself tends to make wget more brittle than the underlying library. The only way that should work to try to improve security in wget via TLS implementation preference strings is if the preference string is explicitly a minor modification of some system default. This may or may not be possible depending on the preference string syntax of the selected TLS implementation. (e.g. [for OpenSSL] if the system default is always explicitly referenced as DEFAULT and we decide that we never want wget to use RC4, then DEFAULT:-RC4 is a sensible approach, because it allows OpenSSL to update DEFAULT and wget gains those improvements automatically) --dkg
signature.asc
Description: OpenPGP digital signature