[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16
From: |
Tim Rühsen |
Subject: |
Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16 |
Date: |
Wed, 03 Dec 2014 20:19:48 +0100 |
User-agent: |
KMail/4.14.2 (Linux/3.16.0-4-amd64; KDE/4.14.2; x86_64; ; ) |
Am Mittwoch, 3. Dezember 2014, 12:36:33 schrieb Jérémie Courrèges-Anglas:
> Hi,
>
> Giuseppe Scrivano <address@hidden> writes:
>
> [...]
>
> > we should also hide --rand-egd from wget --help and do not accept this
> > option when HAVE_RAND_EGD is not set.
>
> I thought about that and took the lazy approach: the option is still
> available even if gnutls is used, even though it's a nop. Why then
> change the interface if libressl is used instead of openssl/gnutls?
>
> Or maybe this was merely overlooked and openssl should really be
> a special case here, dunno.
IMHO, we should accept --rand-egd to not introduce regressions.
But instead of silently ignoring the users demand, we should print a warning
about the LibreSSL/RAND_egd() issue. Maybe saying, that a modern /dev/random
is more secure than the EGD ?
It would not be nice if someone loses security without being warned.
> Or... another alternative would be to get rid of RAND_egd altogether,
> with --egd-file staying for compat for a few releases. :)
The question here is, where and in which way is EGD still useful !?
Maybe it is already obsolete on very most systems ?
We should keep this in mind for 1.17+.
Tim
signature.asc
Description: This is a digitally signed message part.
- [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Jérémie Courrèges-Anglas, 2014/12/02
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Tim Ruehsen, 2014/12/02
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Darshit Shah, 2014/12/02
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Jérémie Courrèges-Anglas, 2014/12/02
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Darshit Shah, 2014/12/02
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Giuseppe Scrivano, 2014/12/03
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Jérémie Courrèges-Anglas, 2014/12/03
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16,
Tim Rühsen <=
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Tim Ruehsen, 2014/12/04
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Jérémie Courrèges-Anglas, 2014/12/05
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Tim Ruehsen, 2014/12/17
- Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16, Jérémie Courrèges-Anglas, 2014/12/17