Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL
- Original Message - > Tomas Hozza writes: > > >> What do you think about extending --secure-protocol and having a runtime > >> option instead of a compile time option ? Users could set the system wide > >> default value in /etc/wgetrc and people are able to override it through > >> ~/.wgetrc or --secure-protocol. > > > > Hi Tim. > > > > I'm afraid this is not suitable for us. We need to be able to define the > > policy somewhere in /etc, where the user is not able to change it (only > > the system administrator). > > > > Also the main intention to have a single place to set the policy for all > > system components, therefore wgetrc is not the right place for us. > > > > Regards, > > how would the policy defined in /etc be used by wget? Is wget going to > be recompiled if the policy is changed by root? > Hi Giuseppe. It will be used by OpenSSL. So there will be no need to recompile wget. Wget will be compiled with ciphers list string saying to OpenSSL, that it should use system-defined ciphers. I'm CC-ing the Fedora change owner to clarify the approach further if needed. Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com
Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL
On Thursday 10 July 2014 08:37:23 Tomas Hozza wrote: > - Original Message - > > > On Tuesday 08 July 2014 16:14:42 Petr Pisar wrote: > > > On Tue, Jul 08, 2014 at 10:00:24AM -0400, Tomas Hozza wrote: > > > > I'm afraid this is not suitable for us. We need to be able to define > > > > the > > > > policy somewhere in /etc, where the user is not able to change it > > > > (only > > > > the system administrator). > > > > > > I hope can also prevent the user from running his own wget executable, > > > or > > > ld-preloading modified OpenSSL library, or intercepting open(2) calls to > > > provide fake /etc file. > > > > > > > Also the main intention to have a single place to set the policy for > > > > all > > > > system components, therefore wgetrc is not the right place for us. > > > > > > What about to change wget to call OPENSSL_config(NULL) instead of > > > setting > > > some hard-coded preference string. Then you can teach OpenSSL to load > > > your > > > /etc configuration instead of patching each application. > > > > > > -- Petr > > > > Tomas intention is to only change the (Wget hard-coded) cipher list for > > --secure-protocol=PFS. At least, that's what I understood so far. > > It may seem so, but my intention was to be able to redefine any occurrence > of explicitly hard-coded ciphers priority list. In openssl.c it was only in > the code that was executed if --secure-protocol=PFS was used. In this case, you should use a name like --with-PFS-ciphers-list=LIST, because you are just changing the PFS hard-coded cipher list. Imagine, we add new -- secure-protocol options with hard-coded values like --secure-protocol=FOO --secure-protocol=BAR In this case you have to create another patch with ./configure --with-ciphers-list-FOO and ./configure --with-ciphers-list-BAR since the meanings could be very different. This is why I think it makes sense to add 'PFS' to your ./configure option name. GnuTLS even makes it more complicated since protocols, ciphers, key exchange mode etc is read from (currently hard-coded) strings. Here is the code: case secure_protocol_auto: break; case secure_protocol_sslv2: case secure_protocol_sslv3: err = gnutls_priority_set_direct (session, "NORMAL:-VERS-TLS-ALL:+VERS- SSL3.0", NULL); break; case secure_protocol_tlsv1: err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0", NULL); break; case secure_protocol_pfs: err = gnutls_priority_set_direct (session, "PFS", NULL); if (err != GNUTLS_E_SUCCESS) /* fallback if PFS is not available */ err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL); break; You have to provide configure options for each of these (--secure- protocol=sslv2|sslv3|tlsv1|pfs) e.g. --with-ciphers-list-sslv2 --with-ciphers-list-sslv3 --with-ciphers-list-tlsv1 --with-ciphers-list-pfs And I am sure there will be more options in the future and I guess the Wget people will have to maintain the above configure options in the future for you / Redhat. And that would be clear going with my above suggestions. Also very likely is a command line option to freely specify OpenSSL ciphers or GnuTLS priority strings. I mention this, because you said the Wget user should not be able to set/manage to ciphers by his own. I am not sure how this fits into Redhat's philosophy. > Thank you Tim for the help. I actually renamed the option to > --with-ciphers-list so the defined list will replace all hard-coded ciphers > lists regardless if using GnuTLS or OpenSSL. The above suggested changes are pretty straight forward. But you may wait for Guiseppe's consent if he will accept such a Redhat specific patch at all (but I guess he will ;-). Regards,Tim
Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL
Am Dienstag, 8. Juli 2014, 16:57:35 schrieb Giuseppe Scrivano: > Tomas Hozza writes: > >> What do you think about extending --secure-protocol and having a runtime > >> option instead of a compile time option ? Users could set the system wide > >> default value in /etc/wgetrc and people are able to override it through > >> ~/.wgetrc or --secure-protocol. > > > > Hi Tim. > > > > I'm afraid this is not suitable for us. We need to be able to define the > > policy somewhere in /etc, where the user is not able to change it (only > > the system administrator). > > > > Also the main intention to have a single place to set the policy for all > > system components, therefore wgetrc is not the right place for us. > > > > Regards, > > how would the policy defined in /etc be used by wget? Is wget going to > be recompiled if the policy is changed by root? Also there is still Ángel's remark: your change only applies to --secure- protocol=PFS. But you also answered to my posting that user should not be able to change it... but they can by using e.g. --secure-protocol=TLSv1 or by doing settings in ~/.wgetrc. Maybe you could explain a bit more detailed what you want to do and what you expect Wget to do in a Redhat compilation. We really want to help you out. Tim
Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL
- Original Message -
> On Tuesday 08 July 2014 16:14:42 Petr Pisar wrote:
> > On Tue, Jul 08, 2014 at 10:00:24AM -0400, Tomas Hozza wrote:
> > > I'm afraid this is not suitable for us. We need to be able to define the
> > > policy somewhere in /etc, where the user is not able to change it (only
> > > the system administrator).
> >
> > I hope can also prevent the user from running his own wget executable, or
> > ld-preloading modified OpenSSL library, or intercepting open(2) calls to
> > provide fake /etc file.
> >
> > > Also the main intention to have a single place to set the policy for all
> > > system components, therefore wgetrc is not the right place for us.
> >
> > What about to change wget to call OPENSSL_config(NULL) instead of setting
> > some hard-coded preference string. Then you can teach OpenSSL to load your
> > /etc configuration instead of patching each application.
> >
> > -- Petr
>
> Tomas intention is to only change the (Wget hard-coded) cipher list for
> --secure-protocol=PFS. At least, that's what I understood so far.
It may seem so, but my intention was to be able to redefine any occurrence of
explicitly hard-coded ciphers priority list. In openssl.c it was only in the
code that was executed if --secure-protocol=PFS was used.
> Tomas, could you rename the ./configure --with-openssl-ciphers-list=LIST to
> something like --with-PFS-ciphers-list=LIST and rename OPENSSL_CIPHERS_LIST
> to
> PFS_CIPHERS_LIST ?
> I will add the gnutls code in a second patch, though it is very easy - if you
> want to add it:
>
> The current code in gnutsl.c is
> err = gnutls_priority_set_direct (session, "PFS", NULL);
> if (err != GNUTLS_E_SUCCESS)
> /* fallback if PFS is not available */
> err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
>
> which should simply be replaced by:
> #ifdef PFS_CIPHERS_LIST
> err = gnutls_priority_set_direct (session, PFS_CIPHERS_LIST, NULL);
> #else
> err = gnutls_priority_set_direct (session, "PFS", NULL);
> if (err != GNUTLS_E_SUCCESS)
> /* fallback if PFS is not available */
> err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
> #endif
>
> Tim
Thank you Tim for the help. I actually renamed the option to --with-ciphers-list
so the defined list will replace all hard-coded ciphers lists regardless if
using GnuTLS or OpenSSL.
The version 3 of the patch is attached.
Regards,
--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience
PGP: 1D9F3C2D
Red Hat Inc. http://cz.redhat.com
From c92ebeb4892fd355489641ab544af502dcad0ae5 Mon Sep 17 00:00:00 2001
From: Tomas Hozza
Date: Thu, 10 Jul 2014 14:14:19 +0200
Subject: [PATCH] Add configure option --with-ciphers-list v3
Allow the users to redefine the ciphers list used
when compiled with OpenSSL. This is usable for
distributions, that distribute wget as binary package
and want to use own system-wide ciphers list.
version 2:
Print the ciphers list with --version, if it was
redefined using configure script option.
version 3:
Option renamed to --with-ciphers-list.
Added support to redefine hardcoded ciphers list
also for GnuTLS.
Signed-off-by: Tomas Hozza
---
ChangeLog | 5 +
configure.ac| 15 +++
src/ChangeLog | 7 +++
src/Makefile.am | 2 ++
src/gnutls.c| 10 ++
src/main.c | 14 ++
src/openssl.c | 4
7 files changed, 57 insertions(+)
diff --git a/ChangeLog b/ChangeLog
index 2bfae67..c2ea802 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2014-07-10 Tomas Hozza
+
+ * configure.ac: Add --with-ciphers-list to allow redefining the
+ default ciphers priority list for SSL.
+
2014-06-28 Giuseppe Scrivano
* cfg.mk (local-checks-to-skip): Remove some checks.
diff --git a/configure.ac b/configure.ac
index abc92fb..51ae56e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -69,6 +69,12 @@ AC_ARG_WITH(ssl,
[[ --without-ssl disable SSL autodetection
--with-ssl={gnutls,openssl} specify the SSL backend. GNU TLS is the default.]])
+AC_ARG_WITH([ciphers-list],
+[ --with-ciphers-list=LIST Use cipers priority list for SSL defined
+ as an argument.],
+[with_ciphers_list="$withval"],
+[with_ciphers_list=no])
+
AC_ARG_WITH(zlib,
[[ --without-zlib disable zlib ]])
@@ -364,6 +370,15 @@ else
fi
fi
+# check if ciphers list was manually defined
+AS_IF([test x"$with_ciphers_list" != xno], [
+ AS_IF([test x"$with_ssl" == xno], [
+ AC_MSG_ERROR([--with-ciphers-list can be used only with SSL enabled])
+ ])
+ AC_DEFINE_UNQUOTED([CIPHERS_LIST], ["$with_ciphers_list"], [Use defined ciphers list for SSL])
+ CIPHERS_LIST="$with_ciphers_list"
+ AC_SUBST(CIPHERS_LIST)
+])
dnl **
dnl Checks for IPv6
diff --git a/src/ChangeLog b/src/ChangeLog
inde
[Bug-wget] Descarga recursiva
Argumentos para descargar con wget el contenido de las páginas web(vídeos,partituras,..)y no un listado del contenido de las mismas;en mi caso,el argumento wget+URL no descarga ni un vídeo del que se ha copiado y pegado su URL completa. A la espera de su contestación,les envío un saludo y agradecimiento por su atención. José Pena Otero-Galicia Usuario Trisquel
[Bug-wget] A bug in KFFirstAide, and its solution!
Hi, I had trouble using KFFirstAide, until I found the cause: many files were not downloading from the site, for some certificate problems and other cookie errors. Solution? I edited runme.bat and replaced every "wget " with "wget wget --no-check-certificate --no-cookies " Now it works smothly. Maybe you should do the same and distribute that way. Kind regards! Diego -- *Diego Rodriguez* diegohumani...@gmail.com *Perfiles:* http://profiles.google.com/DiegoHumanista http://www.facebook.com/DiegoHumanista http://www.linkedin.com/pub/diego-rodriguez/b/b90/112 http://twitter.com/#!/DiegoHumanista
Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL
On Tuesday 08 July 2014 16:14:42 Petr Pisar wrote: > On Tue, Jul 08, 2014 at 10:00:24AM -0400, Tomas Hozza wrote: > > I'm afraid this is not suitable for us. We need to be able to define the > > policy somewhere in /etc, where the user is not able to change it (only > > the system administrator). > > I hope can also prevent the user from running his own wget executable, or > ld-preloading modified OpenSSL library, or intercepting open(2) calls to > provide fake /etc file. > > > Also the main intention to have a single place to set the policy for all > > system components, therefore wgetrc is not the right place for us. > > What about to change wget to call OPENSSL_config(NULL) instead of setting > some hard-coded preference string. Then you can teach OpenSSL to load your > /etc configuration instead of patching each application. > > -- Petr Tomas intention is to only change the (Wget hard-coded) cipher list for --secure-protocol=PFS. At least, that's what I understood so far. Tomas, could you rename the ./configure --with-openssl-ciphers-list=LIST to something like --with-PFS-ciphers-list=LIST and rename OPENSSL_CIPHERS_LIST to PFS_CIPHERS_LIST ? I will add the gnutls code in a second patch, though it is very easy - if you want to add it: The current code in gnutsl.c is err = gnutls_priority_set_direct (session, "PFS", NULL); if (err != GNUTLS_E_SUCCESS) /* fallback if PFS is not available */ err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL); which should simply be replaced by: #ifdef PFS_CIPHERS_LIST err = gnutls_priority_set_direct (session, PFS_CIPHERS_LIST, NULL); #else err = gnutls_priority_set_direct (session, "PFS", NULL); if (err != GNUTLS_E_SUCCESS) /* fallback if PFS is not available */ err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL); #endif Tim signature.asc Description: This is a digitally signed message part.
