Re: [Bug-wget] SSL Poodle attack

2014-10-16 Thread Tim Rühsen
Am Mittwoch, 15. Oktober 2014, 17:26:49 schrieb Daniel Kahn Gillmor: On 10/15/2014 03:10 PM, Tim Rühsen wrote: I tried to make clear that Wget *explicitely* asks for SSLv2 and SSLv3 in the default configuration when compiled with OpenSSL. Whatever the OpenSSL library vendor is doing... it

Re: [Bug-wget] SSL Poodle attack

2014-10-15 Thread Petr Pisar
On Wed, Oct 15, 2014 at 11:57:47AM +0200, Tim Rühsen wrote: (means, the libraries defaults are used, whatever that is). Should we break compatibility and map 'auto' to TLSv1 ? For the security of the users. Please no. Instead of changing each TLS program, one should patch only the TLS

Re: [Bug-wget] SSL Poodle attack

2014-10-15 Thread Tim Rühsen
Am Mittwoch, 15. Oktober 2014, 13:45:18 schrieb Petr Pisar: On Wed, Oct 15, 2014 at 11:57:47AM +0200, Tim Rühsen wrote: (means, the libraries defaults are used, whatever that is). Should we break compatibility and map 'auto' to TLSv1 ? For the security of the users. Please no. Instead

Re: [Bug-wget] SSL Poodle attack

2014-10-15 Thread Daniel Kahn Gillmor
On 10/15/2014 03:10 PM, Tim Rühsen wrote: I tried to make clear that Wget *explicitely* asks for SSLv2 and SSLv3 in the default configuration when compiled with OpenSSL. Whatever the OpenSSL library vendor is doing... it won't affect Wget in this case. So with your attitude, you won't

Re: [Bug-wget] SSL Poodle attack

2014-10-15 Thread Daniel Stenberg
On Wed, 15 Oct 2014, Daniel Kahn Gillmor wrote: (e.g. [for OpenSSL] if the system default is always explicitly referenced as DEFAULT and we decide that we never want wget to use RC4, then DEFAULT:-RC4 is a sensible approach, because it allows OpenSSL to update DEFAULT and wget gains those

Re: [Bug-wget] SSL Poodle attack

2014-10-15 Thread Daniel Kahn Gillmor
On 10/15/2014 05:37 PM, Daniel Stenberg wrote: On Wed, 15 Oct 2014, Daniel Kahn Gillmor wrote: (e.g. [for OpenSSL] if the system default is always explicitly referenced as DEFAULT and we decide that we never want wget to use RC4, then DEFAULT:-RC4 is a sensible approach, because it allows

Re: [Bug-wget] SSL Poodle attack

2014-10-15 Thread Daniel Stenberg
On Wed, 15 Oct 2014, Daniel Kahn Gillmor wrote: I agree that OpenSSL has traditionally been too conservative. I'm arguing that if we're going to set anything other than the default, we should make our changes as *relative* changes rather than specifying something absolute, so that wget can