Hi, I fould a potential gotcha when playing with clang's code analysis tool.
The concat_strings function silently stopped counting string lengths when
given more than 5 arguments. clang warned about potential garbage values in
the saved_lengths array, so I redid it with this approach.
All tests w
patch V2
- removed SSLv3 from --secure-protocol=auto|pfs (GnuTLS code)
- removed SSLv3 from --secure-protocol=auto (OpenSSL code)
- amended the docs
I am not an OpenSSL expert... please feel free to suggest improvements.
Tim
Am Donnerstag, 16. Oktober 2014, 20:50:32 schri
Ángel González wrote:
First of all, note that wget doesn't react to a disconnect with a
downgraded retry thus
it is mainly not vulnerable to poodle (you could only use
CVE-2014-3566 against servers
not supporting TLS).
And curl is equally not affected (tested 7.38.0).
Ángel González wrote:
First of all, note that wget doesn't react to a disconnect with a
downgraded retry thus
it is mainly not vulnerable to poodle (you could only use
CVE-2014-3566 against servers
not supporting TLS).
Note I tested both openssl and gnutls builds. Then I rebuilt 1.15¹ with
bot
On 16/10/14 19:01, Tim Rühsen wrote:
Am Donnerstag, 16. Oktober 2014, 14:03:43 schrieb Christoph Anton Mitterer:
Also, it wget seems to have this --secure-protocol=PFS, which seems a
bit strange to me, since PFS is not a property of TLS/SSL itself but
rather the algorithms used.
Especially, when
Am Mittwoch, 15. Oktober 2014, 17:26:49 schrieb Daniel Kahn Gillmor:
> On 10/15/2014 03:10 PM, Tim Rühsen wrote:
> > I tried to make clear that Wget *explicitely* asks for SSLv2 and SSLv3 in
> > the default configuration when compiled with OpenSSL. Whatever the
> > OpenSSL library vendor is doing..
Am Donnerstag, 16. Oktober 2014, 14:03:43 schrieb Christoph Anton Mitterer:
> Hi.
>
> Could you please consider to remove SSLv3 (and if not done yet SSLv2 as
> well) from being automatically used, while still leaving users the
> choice to manually enable it (e.g. via --secure-protocol=SSLv2/3).
>
Hi.
Could you please consider to remove SSLv3 (and if not done yet SSLv2 as
well) from being automatically used, while still leaving users the
choice to manually enable it (e.g. via --secure-protocol=SSLv2/3).
I think it would be a bad idea to expect that these insecure versions
are dropped from
On 13 October 2014 10:25, Joe Hoyle wrote:
> Hi All,
>
>
> I’m having issues using "--convert-links” in conjunction with
> "--content-on-error”. Though "--content-on-error” is forcing wget to download
> the pages, the links to that “errored” page is not update in other pages that
> link to it.