[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] SSL Poodle attack
From: |
Daniel Kahn Gillmor |
Subject: |
Re: [Bug-wget] SSL Poodle attack |
Date: |
Wed, 15 Oct 2014 17:53:05 -0400 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Icedove/32.0 |
On 10/15/2014 05:37 PM, Daniel Stenberg wrote:
> On Wed, 15 Oct 2014, Daniel Kahn Gillmor wrote:
>
>> (e.g. [for OpenSSL] if the system default is always explicitly
>> referenced as DEFAULT and we decide that we never want wget to use
>> RC4, then DEFAULT:-RC4 is a sensible approach, because it allows
>> OpenSSL to update DEFAULT and wget gains those improvements
>> automatically)
>
> I disagree. OpenSSL is but a TLS library that provides functionality -
> and it does so rather conservatively in my view. It does not necessarily
> set the security standard for what applications should aim for in a good
> manner.
>
> SSL_DEFAULT_CIPHER_LIST for OpenSSL in my debian unstable (== fairly
> recent version 1.0.1i) says "ALL:!aNULL:!eNULL:!SSLv2".
>
> That means it allows EXPORT40, EXPORT56 and LOW for example (if I'm not
> missing something), in addition to RC4. Those are terribly weak ciphers.
>
> OpenSSL ciphers list is at https://www.openssl.org/docs/apps/ciphers.html
I agree that OpenSSL has traditionally been too conservative. I'm
arguing that if we're going to set anything other than the default, we
should make our changes as *relative* changes rather than specifying
something absolute, so that wget can get any improvements that OpenSSL
makes to the default without having to rebuild wget itself.
--dkg
signature.asc
Description: OpenPGP digital signature
- [Bug-wget] SSL Poodle attack, Tim Rühsen, 2014/10/15
- Re: [Bug-wget] SSL Poodle attack, Petr Pisar, 2014/10/15
- Re: [Bug-wget] SSL Poodle attack, Tim Rühsen, 2014/10/16
- [Bug-wget] [PATCH] V2 removed 'auto' SSLv3 also from OpenSSL code, Tim Rühsen, 2014/10/16
- Re: [Bug-wget] [PATCH] V2 removed 'auto' SSLv3 also from OpenSSL code, Giuseppe Scrivano, 2014/10/19
- Re: [Bug-wget] [PATCH] V2 removed 'auto' SSLv3 also from OpenSSL code, Tim Rühsen, 2014/10/19