On Thu, Oct 19, 2017 at 5:35 AM, Tim Rühsen <[email protected]> wrote: > Hi Jeffrey, > > thanks for heads up ! > > Does OpenSSL meanwhile have a PFS for their cipher list ? > > Currently it looks like that each and every client has to amend their > cipher list from time to time. Instead, this should be done in the > library. So that new versions automatically make the client code more > secure. GnuTLS does it. > > > That's one reason why we (wget developers) already discussed about > dropping OpenSSL support completely. The background is that the OpenSSL > code in Wget has no maintainer. We take (small) patches every now and > then but there is no expert here for review or active progress. > > Having your random seeding issue in mind, there seems to be even more > reasons to drop that OpenSSL code. > > If there is someone here who wants to maintain the OpenSSL code of Wget > - you are very welcome (Let us know) ! In the meantime I'll ask the > other maintainers about their opinion.
Ack, just decide what you want to do. I should not influence the project's processes or bikeshed. I favor OpenSSL because I've worked with it for so long, and I have automated build scripts for it. On the other hand, I can switch to GnuTLS if needed. I have not done so because its expedient to use OpenSSL (another way of saying I'm lazy at times). Jeff
