Please convert to use the system's crypto policy for SSL and TLS: https://fedoraproject.org/wiki/Changes/CryptoPolicy#Scope If this program is compiled against gnutls, change the default priority string to be "@SYSTEM" or to use gnutls_set_default_priority(). If this program is compiled against openssl, and there is no default cipher list specified, you don't need to modify it. Otherwise replace the default cipher list with "PROFILE=SYSTEM". In both cases please verify (as described in the URL above) that the application uses the system's crypto profiles.
A quick reminder; this is a blocker for #1076390. if you have no resources to pursue that please contact me.
Hi. wget is compiled with OpenSSL. I appears that it used hard-coded list of cyphers. My proposed patch is: diff --git a/src/openssl.c b/src/openssl.c index 7c92ac0..bd3738a 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -212,7 +212,7 @@ ssl_init (void) * Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more) */ if (opt.secure_protocol == secure_protocol_pfs) - SSL_CTX_set_cipher_list (ssl_ctx, "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:!aNULL@STRENGTH"); + SSL_CTX_set_cipher_list (ssl_ctx, "PROFILE=SYSTEM"); SSL_CTX_set_default_verify_paths (ssl_ctx); SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory); Since I'm not completely sure that this is all you want, please verify it. (wget builds just fine with it and all tests from test suite passed) Although I recognize the benefit of using system-wide policy, it is really unfortunate, that it will result in more downstream patches... (If I won't figure out how to make it acceptable for the upstream.)
Yes, your change is correct. This is not an upstream issue, it is a system configuration issue (downstream). If you'd like to minimize changes, the best would be to have upstream make that setting available through a configuration file or so.
Patch allowing to redefine the ciphers list when running configure script has been sent to upstream. Waiting for their response.
Hi. Until you'll comment issues raised on wget mailing-list I'm not going to make any changes to wget. http://lists.gnu.org/archive/html/bug-wget/2014-07/msg00039.html
I've provided a reply at: http://lists.gnu.org/archive/html/bug-wget/2014-07/msg00081.html Bottom line is that if the option is provided through the global wgetrc file, it is sufficient for our purposes. We don't want to prevent the user from changing it, we want to provide a default for the user who doesn't care in changing it.
Hello Tomas, Any update on that issue?
Sorry for the late response. I will change the default wgetrc shipped in Fedora. However I have troubles deciding which protocol should be used as default. Possibilities are: SSLv2, SSLv3, TLSv1 or PFS (perfect forward security). Please advise me which one should be used and I'll do the change in Fedora.
Please see the 1st message above. The idea is for you not needed too decide that. You should be able to simply set "PROFILE=SYSTEM" if openssl is used or @SYSTEM if gnutls is used. Whether SSLv2, TLSv1, or whatever, will be decided by the policy (the user should of course be able to override that).
I checked wget source and read the Feature page again and really carefully. The bottom line is that I think no change is needed to the wget source. Wget contains the explicit ciphers priority string, but it is used ONLY if the user explicitly specifies a --secure-protocol=PFS on the command line. Otherwise no priority string is used and openssl should use the default priorities. Now, since the Feature page says "Any applications not explicitly specifying ciphers will use the system ciphers.". Therefore no change should be needed. Closing as NOTABUG. Sorry for the misunderstandings. If you disagree, feel free to reopen.