1
0
mirror of https://github.com/moparisthebest/wget synced 2024-07-03 16:38:41 -04:00

add TLSv1_1 and TLSv1_2 to --secure-protocol

This commit is contained in:
Tim Ruehsen 2014-10-23 21:16:37 +02:00
parent 796da8da3a
commit 3e3073ca7b
5 changed files with 37 additions and 10 deletions

View File

@ -1641,16 +1641,16 @@ without SSL support, none of these options are available.
@cindex SSL protocol, choose @cindex SSL protocol, choose
@item --secure-protocol=@var{protocol} @item --secure-protocol=@var{protocol}
Choose the secure protocol to be used. Legal values are @samp{auto}, Choose the secure protocol to be used. Legal values are @samp{auto},
@samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1} and @samp{PFS}. If @samp{auto} @samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1}, @samp{TLSv1_2}
is used, the SSL library is given the liberty of choosing the appropriate and @samp{PFS}. If @samp{auto} is used, the SSL library is given the
protocol automatically, which is achieved by sending an TLSv1 greeting. liberty of choosing the appropriate protocol automatically, which is
This is the default. achieved by sending a TLSv1 greeting. This is the default.
Specifying @samp{SSLv2}, @samp{SSLv3}, or @samp{TLSv1} forces the use Specifying @samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1} or
of the corresponding protocol. This is useful when talking to old and @samp{TLSv1_2} forces the use of the corresponding protocol. This is
buggy SSL server implementations that make it hard for the underlying useful when talking to old and buggy SSL server implementations that
SSL library to choose the correct protocol version. Fortunately, such make it hard for the underlying SSL library to choose the correct
servers are quite rare. protocol version. Fortunately, such servers are quite rare.
Specifying @samp{PFS} enforces the use of the so-called Perfect Forward Specifying @samp{PFS} enforces the use of the so-called Perfect Forward
Security cipher suites. In short, PFS adds security by creating a one-time Security cipher suites. In short, PFS adds security by creating a one-time

View File

@ -1,4 +1,10 @@
2013-10-22 Ángel González <keisial@gmail.com> 2014-10-08 Nikolay Morozov <n.morozov@securitycode.ru> and Sergey Lvov <s.lvov@securitycode.ru>
* init.c (cmd_spec_secure_protocol): Add support for
TLS v1.1 and TLS v1.2 protocols
* openssl.c (ssl_init): Add support for OpenSSL engines
2014-10-22 Ángel González <keisial@gmail.com>
* css-url.c (get_uri_string): Honor the specified length argument. * css-url.c (get_uri_string): Honor the specified length argument.

View File

@ -1498,6 +1498,8 @@ cmd_spec_secure_protocol (const char *com, const char *val, void *place)
{ "sslv2", secure_protocol_sslv2 }, { "sslv2", secure_protocol_sslv2 },
{ "sslv3", secure_protocol_sslv3 }, { "sslv3", secure_protocol_sslv3 },
{ "tlsv1", secure_protocol_tlsv1 }, { "tlsv1", secure_protocol_tlsv1 },
{ "tlsv1_1", secure_protocol_tlsv1_1 },
{ "tlsv1_2", secure_protocol_tlsv1_2 },
{ "pfs", secure_protocol_pfs }, { "pfs", secure_protocol_pfs },
}; };
int ok = decode_string (val, choices, countof (choices), place); int ok = decode_string (val, choices, countof (choices), place);

View File

@ -40,6 +40,9 @@ as that of the covered work. */
#include <openssl/x509v3.h> #include <openssl/x509v3.h>
#include <openssl/err.h> #include <openssl/err.h>
#include <openssl/rand.h> #include <openssl/rand.h>
#if OPENSSL_VERSION_NUMBER >= 0x00907000
#include <openssl/conf.h>
#endif
#include "utils.h" #include "utils.h"
#include "connect.h" #include "connect.h"
@ -187,6 +190,12 @@ ssl_init (void)
goto error; goto error;
} }
#if OPENSSL_VERSION_NUMBER >= 0x00907000
OPENSSL_load_builtin_modules();
ENGINE_load_builtin_engines();
CONF_modules_load_file(NULL, NULL,
CONF_MFLAGS_DEFAULT_SECTION|CONF_MFLAGS_IGNORE_MISSING_FILE);
#endif
SSL_library_init (); SSL_library_init ();
SSL_load_error_strings (); SSL_load_error_strings ();
SSLeay_add_all_algorithms (); SSLeay_add_all_algorithms ();
@ -207,6 +216,14 @@ ssl_init (void)
case secure_protocol_tlsv1: case secure_protocol_tlsv1:
meth = TLSv1_client_method (); meth = TLSv1_client_method ();
break; break;
#if OPENSSL_VERSION_NUMBER >= 0x01001000
case secure_protocol_tlsv1_1:
meth = TLSv1_1_client_method ();
break;
case secure_protocol_tlsv1_2:
meth = TLSv1_2_client_method ();
break;
#endif
default: default:
abort (); abort ();
} }

View File

@ -202,6 +202,8 @@ struct options
secure_protocol_sslv2, secure_protocol_sslv2,
secure_protocol_sslv3, secure_protocol_sslv3,
secure_protocol_tlsv1, secure_protocol_tlsv1,
secure_protocol_tlsv1_1,
secure_protocol_tlsv1_2,
secure_protocol_pfs secure_protocol_pfs
} secure_protocol; /* type of secure protocol to use. */ } secure_protocol; /* type of secure protocol to use. */
bool check_cert; /* whether to validate the server's cert */ bool check_cert; /* whether to validate the server's cert */