Tim Rühsen wrote:
Hi Ángel,
thanks for your testing.
I would like to reproduce it - can you tell me what you did exactly ?
I used a simple server that printed the TLS Client Hello and closed the
connection.
Browsers automatically retried with lower SSL versions.
wget aborted with an
Am Sonntag, 19. Oktober 2014, 21:11:01 schrieb Ángel González:
Tim Rühsen wrote:
Hi Ángel,
thanks for your testing.
I would like to reproduce it - can you tell me what you did exactly ?
I used a simple server that printed the TLS Client Hello and closed the
connection.
Browsers
Am Donnerstag, 16. Oktober 2014, 22:01:35 schrieb Ángel González:
Ángel González wrote:
First of all, note that wget doesn't react to a disconnect with a
downgraded retry thus
it is mainly not vulnerable to poodle (you could only use
CVE-2014-3566 against servers
not supporting TLS).
Hey.
On Thu, 2014-10-16 at 19:01 +0200, Tim Rühsen wrote:
Thanks for your input.
We are just discussing that issue (and of course anybody is invited to take
part here on the list).
Sorry, I've only saw that one afterwards :)
While we (developers) could change the code in a few minutes,
On Thu, 2014-10-16 at 21:34 +0200, Ángel González wrote:
First of all, note that wget doesn't react to a disconnect with a
downgraded retry thus
it is mainly not vulnerable to poodle (you could only use CVE-2014-3566
against servers
not supporting TLS).
Then, even in that case, as an
Am Freitag, 17. Oktober 2014, 18:02:39 schrieb Christoph Anton Mitterer:
On Thu, 2014-10-16 at 21:34 +0200, Ángel González wrote:
First of all, note that wget doesn't react to a disconnect with a
downgraded retry thus
it is mainly not vulnerable to poodle (you could only use CVE-2014-3566
Hi.
Could you please consider to remove SSLv3 (and if not done yet SSLv2 as
well) from being automatically used, while still leaving users the
choice to manually enable it (e.g. via --secure-protocol=SSLv2/3).
I think it would be a bad idea to expect that these insecure versions
are dropped from
Am Donnerstag, 16. Oktober 2014, 14:03:43 schrieb Christoph Anton Mitterer:
Hi.
Could you please consider to remove SSLv3 (and if not done yet SSLv2 as
well) from being automatically used, while still leaving users the
choice to manually enable it (e.g. via --secure-protocol=SSLv2/3).
I
On 16/10/14 19:01, Tim Rühsen wrote:
Am Donnerstag, 16. Oktober 2014, 14:03:43 schrieb Christoph Anton Mitterer:
Also, it wget seems to have this --secure-protocol=PFS, which seems a
bit strange to me, since PFS is not a property of TLS/SSL itself but
rather the algorithms used.
Especially,
Ángel González wrote:
First of all, note that wget doesn't react to a disconnect with a
downgraded retry thus
it is mainly not vulnerable to poodle (you could only use
CVE-2014-3566 against servers
not supporting TLS).
Note I tested both openssl and gnutls builds. Then I rebuilt 1.15¹ with
Ángel González wrote:
First of all, note that wget doesn't react to a disconnect with a
downgraded retry thus
it is mainly not vulnerable to poodle (you could only use
CVE-2014-3566 against servers
not supporting TLS).
And curl is equally not affected (tested 7.38.0).
11 matches
Mail list logo
