Re: [Bug-wget] [PATCH] OpenSSL TLSv1+ regression in wget-1.16

[Tim Ruehsen]

On Wednesday 03 December 2014 20:19:48 Tim Rühsen wrote:
> Am Mittwoch, 3. Dezember 2014, 12:36:33 schrieb Jérémie Courrèges-Anglas:
> > Hi,
> > 
> > Giuseppe Scrivano <address@hidden> writes:
> > 
> > [...]
> > 
> > > we should also hide --rand-egd from wget --help and do not accept this
> > > option when HAVE_RAND_EGD is not set.
> > 
> > I thought about that and took the lazy approach: the option is still
> > available even if gnutls is used, even though it's a nop.  Why then
> > change the interface if libressl is used instead of openssl/gnutls?
> > 
> > Or maybe this was merely overlooked and openssl should really be
> > a special case here, dunno.
> 
> IMHO, we should accept --rand-egd to not introduce regressions.
> But instead of silently ignoring the users demand, we should print a warning
> about the LibreSSL/RAND_egd() issue. Maybe saying, that a modern
> /dev/random is more secure than the EGD ?
> 
> It would not be nice if someone loses security without being warned.
> 
> > Or... another alternative would be to get rid of RAND_egd altogether,
> > with --egd-file staying for compat for a few releases. :)

Ok, I read a bit more. I think we need it.

But the documentation should be amended (this is an OpenSSL feature).
This also goes for --random-file which is only used in src/openssl.c.

GnuTLS is configured to read from (egd/prngd) files at compilation time from 
what I read so far. Or does someone know a way to set a random data file 
explicitely for GnuTLS ? If yes, we should use it if the user requests it.

Tim

signature.asc
Description: This is a digitally signed message part.