On Wed, Oct 15, 2014 at 11:57:47AM +0200, Tim Rühsen wrote:
(means, the libraries defaults are used, whatever that is).
Should we break compatibility and map 'auto' to TLSv1 ?
For the security of the users.
Please no. Instead of changing each TLS program, one should patch only the TLS
Am Mittwoch, 15. Oktober 2014, 13:45:18 schrieb Petr Pisar:
On Wed, Oct 15, 2014 at 11:57:47AM +0200, Tim Rühsen wrote:
(means, the libraries defaults are used, whatever that is).
Should we break compatibility and map 'auto' to TLSv1 ?
For the security of the users.
Please no. Instead
On 10/15/2014 03:10 PM, Tim Rühsen wrote:
I tried to make clear that Wget *explicitely* asks for SSLv2 and SSLv3 in the
default configuration when compiled with OpenSSL. Whatever the OpenSSL
library
vendor is doing... it won't affect Wget in this case. So with your attitude,
you won't
On 10/15/2014 05:37 PM, Daniel Stenberg wrote:
On Wed, 15 Oct 2014, Daniel Kahn Gillmor wrote:
(e.g. [for OpenSSL] if the system default is always explicitly
referenced as DEFAULT and we decide that we never want wget to use
RC4, then DEFAULT:-RC4 is a sensible approach, because it allows
On Wed, 15 Oct 2014, Daniel Kahn Gillmor wrote:
I agree that OpenSSL has traditionally been too conservative. I'm arguing
that if we're going to set anything other than the default, we should make
our changes as *relative* changes rather than specifying something absolute,
so that wget can
