[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] wget sets gnutls priority multiple times
From: |
Tim Ruehsen |
Subject: |
Re: [Bug-wget] wget sets gnutls priority multiple times |
Date: |
Tue, 20 Dec 2016 09:26:20 +0100 |
User-agent: |
KMail/5.2.3 (Linux/4.8.0-2-amd64; KDE/5.28.0; x86_64; ; ) |
On Monday, December 19, 2016 4:09:08 PM CET Nikos Mavrogiannopoulos wrote:
> Hi,
> While debugging some issue in Fedora [0] I've realized that wget calls
> the gnutls priority functions multiple times, and that confuses gnutls
> on certain cases. In src/gnutls.c wget calls
> gnutls_set_default_priority (session) which sets the default cipher
> priorities according to the system policy. However, at the following
> lines it overwrites that policy in the switch (opt.secure_protocol).
>
> In particular, when no options are given it enters:
> ```
> case secure_protocol_auto:
> err = gnutls_priority_set_direct (session,
> "NORMAL:%COMPAT:-VERS-SSL3.0", NULL); ```
>
> That means that the default policy set above is overwritten. A possible
> fix is attached. That ensures that the priorities are set only once and
> that the default priorities are used when no options are specified (the
> latter is important for Fedora which ensures that
> gnutls_set_default_priority() sets a priority string according to the
> system-wide policies.
>
> The use of keyword %COMPAT is replaced by calling
> gnutls_session_enable_compatibility_mode().
Thanks, Nikos.
I like the idea of having a system wide TLS/security policy.
But what happens when wget is build with an older version of GnuTLS that
doesn't disable SSL3.0 by default ? Before your change, these people where
'save' from using SSL, with your change applied we introduce insecurity by
default.
Since what version did you disable SSL by default ? We could make a run-time
version check to explicitly disable SSL then.
Regards, Tim
signature.asc
Description: This is a digitally signed message part.