[Bug-wget] [PATCH] V2 removed 'auto' SSLv3 also from OpenSSL code

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-wget] [PATCH] V2 removed 'auto' SSLv3 also from OpenSSL code

From:	Tim Rühsen
Subject:	[Bug-wget] [PATCH] V2 removed 'auto' SSLv3 also from OpenSSL code
Date:	Thu, 16 Oct 2014 22:13:18 +0200
User-agent:	KMail/4.14.1 (Linux/3.16-2-amd64; KDE/4.14.1; x86_64; ; )

patch V2
        - removed SSLv3 from --secure-protocol=auto|pfs (GnuTLS code)
        - removed SSLv3 from --secure-protocol=auto (OpenSSL code)
        - amended the docs

I am not an OpenSSL expert... please feel free to suggest improvements.

Tim

Am Donnerstag, 16. Oktober 2014, 20:50:32 schrieb Tim Rühsen:
> Am Mittwoch, 15. Oktober 2014, 17:26:49 schrieb Daniel Kahn Gillmor:
> > On 10/15/2014 03:10 PM, Tim Rühsen wrote:
> > > I tried to make clear that Wget *explicitely* asks for SSLv2 and SSLv3
> > > in
> > > the default configuration when compiled with OpenSSL. Whatever the
> > > OpenSSL library vendor is doing... it won't affect Wget in this case. So
> > > with your attitude, you won't ever be safe ever from Poodle (I guess).
> > >
> > > And again my question: should we change the default behaviour of future
> > > versions of Wget ?
> > > With other words: since we know, the library vendor wouldn't help in the
> > > above case, what can we do to secure Wget ?
> >
> > hm, i think Tim is on to something here: by default, wget should use the
> > default ciphersuites and protocol versions selected by the TLS library.
> >
> >  Tweaking the default choices in wget itself tends to make wget more
> >
> > brittle than the underlying library.
> >
> > The only way that should work to try to improve security in wget via TLS
> > implementation preference strings is if the preference string is
> > explicitly a minor modification of some system default.  This may or may
> > not be possible depending on the preference string syntax of the
> > selected TLS implementation.
> >
> > (e.g. [for OpenSSL] if the system default is always explicitly
> > referenced as DEFAULT and we decide that we never want wget to use RC4,
> > then DEFAULT:-RC4 is a sensible approach, because it allows OpenSSL to
> > update DEFAULT and wget gains those improvements automatically)
>
> Here is a suggestion for a GnuTLS patch.
>
> I have a look at OpenSSL ciphers and make a similar patch soon.
>
> I also suggested (~1-2 years ago) an option to directly set priority strings
> / ciphers for GnuTLS and OpenSSL. In situations like these, such an option
> would allow for a quick reaction done by distribution maintainers and
> users.
>
> What do you think ?
>
> Tim

0001-do-not-use-SSLv3-except-explicitely-requested.patch
Description: Text Data

signature.asc
Description: This is a digitally signed message part.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-wget] SSL Poodle attack, Tim Rühsen, 2014/10/15
- Re: [Bug-wget] SSL Poodle attack, Petr Pisar, 2014/10/15
  - Re: [Bug-wget] SSL Poodle attack, Tim Rühsen, 2014/10/15
    - Re: [Bug-wget] SSL Poodle attack, Daniel Kahn Gillmor, 2014/10/15
    - Re: [Bug-wget] SSL Poodle attack, Daniel Stenberg, 2014/10/15
    - Re: [Bug-wget] SSL Poodle attack, Daniel Kahn Gillmor, 2014/10/15
    - Re: [Bug-wget] SSL Poodle attack, Daniel Stenberg, 2014/10/15
    - Re: [Bug-wget] SSL Poodle attack, Tim Rühsen, 2014/10/16
    - [Bug-wget] [PATCH] V2 removed 'auto' SSLv3 also from OpenSSL code, Tim Rühsen <=
    - Re: [Bug-wget] [PATCH] V2 removed 'auto' SSLv3 also from OpenSSL code, Giuseppe Scrivano, 2014/10/19
    - Re: [Bug-wget] [PATCH] V2 removed 'auto' SSLv3 also from OpenSSL code, Tim Rühsen, 2014/10/19

Prev by Date: Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified
Next by Date: [Bug-wget] [PATCH] Small fix for limited number of strings (and potential garbage value) in arguments to concat_strings
Previous by thread: Re: [Bug-wget] SSL Poodle attack
Next by thread: Re: [Bug-wget] [PATCH] V2 removed 'auto' SSLv3 also from OpenSSL code
Index(es):
- Date
- Thread