On Tuesday 08 July 2014 16:14:42 Petr Pisar wrote: > On Tue, Jul 08, 2014 at 10:00:24AM -0400, Tomas Hozza wrote: > > I'm afraid this is not suitable for us. We need to be able to define the > > policy somewhere in /etc, where the user is not able to change it (only > > the system administrator). > > I hope can also prevent the user from running his own wget executable, or > ld-preloading modified OpenSSL library, or intercepting open(2) calls to > provide fake /etc file. > > > Also the main intention to have a single place to set the policy for all > > system components, therefore wgetrc is not the right place for us. > > What about to change wget to call OPENSSL_config(NULL) instead of setting > some hard-coded preference string. Then you can teach OpenSSL to load your > /etc configuration instead of patching each application. > > -- Petr
Tomas intention is to only change the (Wget hard-coded) cipher list for --secure-protocol=PFS. At least, that's what I understood so far. Tomas, could you rename the ./configure --with-openssl-ciphers-list=LIST to something like --with-PFS-ciphers-list=LIST and rename OPENSSL_CIPHERS_LIST to PFS_CIPHERS_LIST ? I will add the gnutls code in a second patch, though it is very easy - if you want to add it: The current code in gnutsl.c is err = gnutls_priority_set_direct (session, "PFS", NULL); if (err != GNUTLS_E_SUCCESS) /* fallback if PFS is not available */ err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL); which should simply be replaced by: #ifdef PFS_CIPHERS_LIST err = gnutls_priority_set_direct (session, PFS_CIPHERS_LIST, NULL); #else err = gnutls_priority_set_direct (session, "PFS", NULL); if (err != GNUTLS_E_SUCCESS) /* fallback if PFS is not available */ err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL); #endif Tim
signature.asc
Description: This is a digitally signed message part.