[Bug-wget] please remove SSLv3 from being used until explicitly specified

[Christoph Anton Mitterer]

Hi.

Could you please consider to remove SSLv3 (and if not done yet SSLv2 as
well) from being automatically used, while still leaving users the
choice to manually enable it (e.g. via --secure-protocol=SSLv2/3).

I think it would be a bad idea to expect that these insecure versions
are dropped from the SSL backend libs, since they may be retained for
debugging purposes or people may just use outdated cipher preference
list.


Also, it wget seems to have this --secure-protocol=PFS, which seems a
bit strange to me, since PFS is not a property of TLS/SSL itself but
rather the algorithms used.
Especially, when specifying --secure-protocol=PFS one shouldn't end up
with SSLv2/3 accidentally :)


Cheers,
Chris.

smime.p7s
Description: S/MIME cryptographic signature