[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] please remove SSLv3 from being used until explicitly spec
From: |
Tim Rühsen |
Subject: |
Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified |
Date: |
Fri, 17 Oct 2014 12:24:52 +0200 |
User-agent: |
KMail/4.14.1 (Linux/3.16-2-amd64; KDE/4.14.1; x86_64; ; ) |
Am Donnerstag, 16. Oktober 2014, 22:01:35 schrieb Ángel González:
> Ángel González wrote:
> > First of all, note that wget doesn't react to a disconnect with a
> > downgraded retry thus
> > it is mainly not vulnerable to poodle (you could only use
> > CVE-2014-3566 against servers
> > not supporting TLS).
>
> Note I tested both openssl and gnutls builds. Then I rebuilt 1.15¹ with
> both libraries using
> versions prior to poodle announcement. None of them was affected.
>
>
> ¹ I am having some problem with src/Makefile generation, so I didn't
> test with master, but that
> should be equivalent.
Hi Ángel,
thanks for your testing.
I would like to reproduce it - can you tell me what you did exactly ?
The original paper talks about 'client renegotiation dance'.
What about renegotiation at protocol level ? Isn't it possible that a TLS
connection goes down to SSLv3 intransparent to the client/server code ?
I am not that deep into the TLS/SSL libraries to answer that question myself
right now. The paper talks about 'proper protocol version negotiation' - that
seems to need some clarification.
Tim
Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Christoph Anton Mitterer, 2014/10/17