[Bug-wget] cipher_list string when using OpenSSL

[Jeffrey Walton]

Hi Everyone,

I believe this has some room for improvement (from src/openssl.c):

    "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:address@hidden"

I think it would be a good idea to provide a `--cipher_list` option to
allow the user to specify it. It might also be prudent to allow the
string to be specified in `.wgetrc`.

Regarding the default string, its 2017, and this is probably closer to
what should be used by default:

    "HIGH:!aNULL:!RC4:!MD5:!SRP:!PSK:!kRSA"

The "!kRSA" means RSA cannot be used for key exchange (i.e., RSA key
transport), but can be used for digital signatures. MD5 is probably
another algorithm that should be sunsetted at this point in time
(though I am not aware of a HMAC/MD5 attack that can be carried out in
TCP's 2MSL re-transmit time frame).

I use the same cipher_list on the servers under my control. I've never
received a complaint from them. They cipher_list also helps get one of
those A+ reports from the various SSL scanners.

Jeff