[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Wget and Perfect Forward Secrecy
From: |
Tim Ruehsen |
Subject: |
Re: [Bug-wget] Wget and Perfect Forward Secrecy |
Date: |
Thu, 15 Aug 2013 10:36:09 +0200 |
User-agent: |
KMail/4.10.5 (Linux/3.10-2-amd64; KDE/4.10.5; x86_64; ; ) |
I just found that OpenSSL also has a cipher naming convention:
http://www.openssl.org/docs/apps/ciphers.html
If Wget is compiled with OpenSSL, the user could use these.
If Wget is compiled with GnuTLS, the user would use GnuTLS option strings.
Maybe a new option like --secure-options=... for expert users would be better
than recycling --secure-protocol.
wgetrc should have two settings like secureoptionsgnutls and
secureoptionsopenssl. For when a user changes these settings and than switches
between wget-gnutls and wget-openssl. E.g. I sometimes do this for debugging
or bug hunting or for comparing resource usage.
Beside this 'expert' option, there should be a an 'everyones' option to
force/enable PFS, using --secure-protocol as I already suggested.
Regards, Tim
On Thursday 15 August 2013 09:22:09 Tim Ruehsen wrote:
> Hi,
>
> the recent discussion about PRISM and privacy in general made more and more
> web service operators enabling the so-called 'Perfect Forward Secrecy'
> (namely enabling Diffie Hellmann key exchange algorithms). For backward
> compatibility they still leave the none-DH (RSA) enabled, so that many
> clients (including Wget) choose these during handshake.
>
> To have more control over this behaviour, I would like to see the
> possibility for the user to force (or at least prefer) DH key exchange plus
> enabling secure cipher suites (e.g. 256 bit ciphers)
> Or in general more control to the user about SSL/TLS behaviour.
>
> GnuTLS already has a very user-friendly 'priority' scheme which we could
> open to users with e.g.
> --secure-protocol=gnutls:SECURE128:+SECURE256:-VERS- SSL3.0:-RSA. (Just an
> example how it could be done.)
>
> To make it easier for users we could also predefine something like --secure-
> protocol=force-pfs that internally maps to 'NORMAL:-VERS-SSL3.0:-RSA'.
>
> We could later write a wrapper to map GnuTLS priority syntax to OpenSSL API
> calls.
>
> Distribution maintainers could define a default in /etc/wgetrc
> (secureprotocol=...) as they like.
>
> Of course there are other ways to achieve the goal. At the moment I prefer
> extending --secure-protocol to not have another option. And second I prefer
> GnuTLS because of it's priority strings and because Wget and GnuTLS both are
> official GNU software.
>
> What do you think ?
>
>
> some references
> http://gnutls.org/manual/html_node/Priority-Strings.html
> http://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html
> https://github.com/ssllabs/research/wiki/Forward-Secrecy
>
> To play around with priority string (example):
> $ gnutls-cli --list www.savannah.de --priority NORMAL:-RSA
>
> To check your server security:
> https://www.ssllabs.com/ssltest/index.html
>
> Regards, Tim
- [Bug-wget] Wget and Perfect Forward Secrecy, Tim Ruehsen, 2013/08/15
- Re: [Bug-wget] Wget and Perfect Forward Secrecy,
Tim Ruehsen <=
- Re: [Bug-wget] Wget and Perfect Forward Secrecy, Ángel González, 2013/08/15
- Re: [Bug-wget] Wget and Perfect Forward Secrecy, Daniel Kahn Gillmor, 2013/08/20
- Re: [Bug-wget] Wget and Perfect Forward Secrecy, Tim Ruehsen, 2013/08/21
- Re: [Bug-wget] Wget and Perfect Forward Secrecy, Daniel Kahn Gillmor, 2013/08/21
- Re: [Bug-wget] Wget and Perfect Forward Secrecy, Tim Ruehsen, 2013/08/21
- Re: [Bug-wget] Wget and Perfect Forward Secrecy, Daniel Kahn Gillmor, 2013/08/21
- Re: [Bug-wget] Wget and Perfect Forward Secrecy, Tim Rühsen, 2013/08/21
- Re: [Bug-wget] Wget and Perfect Forward Secrecy, Tim Ruehsen, 2013/08/22