On Monday, December 19, 2016 4:09:08 PM CET Nikos Mavrogiannopoulos wrote: > Hi, > While debugging some issue in Fedora [0] I've realized that wget calls > the gnutls priority functions multiple times, and that confuses gnutls > on certain cases. In src/gnutls.c wget calls > gnutls_set_default_priority (session) which sets the default cipher > priorities according to the system policy. However, at the following > lines it overwrites that policy in the switch (opt.secure_protocol). > > In particular, when no options are given it enters: > ``` > case secure_protocol_auto: > err = gnutls_priority_set_direct (session, > "NORMAL:%COMPAT:-VERS-SSL3.0", NULL); ``` > > That means that the default policy set above is overwritten. A possible > fix is attached. That ensures that the priorities are set only once and > that the default priorities are used when no options are specified (the > latter is important for Fedora which ensures that > gnutls_set_default_priority() sets a priority string according to the > system-wide policies. > > The use of keyword %COMPAT is replaced by calling > gnutls_session_enable_compatibility_mode().
Thanks, Nikos. I like the idea of having a system wide TLS/security policy. But what happens when wget is build with an older version of GnuTLS that doesn't disable SSL3.0 by default ? Before your change, these people where 'save' from using SSL, with your change applied we introduce insecurity by default. Since what version did you disable SSL by default ? We could make a run-time version check to explicitly disable SSL then. Regards, Tim
signature.asc
Description: This is a digitally signed message part.
