do not use SSLv3 except explicitely requested

2024-07-03 16:38:41 -04:00 · 2014-10-16 20:44:56 +02:00 · 2014-10-16 20:44:56 +02:00 · 6fc11e46ec
commit 6fc11e46ec
parent ff876a3710
5 changed files with 15 additions and 7 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,3 +1,7 @@
+2014-10-16  Tim Ruehsen  <tim.ruehsen@gmx.de>
+
+	* wget.texi (Download Options): update --secure-protocol description
+
 2014-08-03  Giuseppe Scrivano  <gscrivano@gnu.org>

 	* wget.texi (Download Options): Fix texinfo warning.
--- a/doc/wget.texi
+++ b/doc/wget.texi
@ -1643,8 +1643,8 @@ without SSL support, none of these options are available.
 Choose the secure protocol to be used.  Legal values are @samp{auto},
@samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1} and @samp{PFS}.  If @samp{auto}
 is used, the SSL library is given the liberty of choosing the appropriate
-protocol automatically, which is achieved by sending an SSLv2 greeting
-and announcing support for SSLv3 and TLSv1.  This is the default.
+protocol automatically, which is achieved by sending an TLSv1 greeting.
+This is the default.

 Specifying @samp{SSLv2}, @samp{SSLv3}, or @samp{TLSv1} forces the use
 of the corresponding protocol.  This is useful when talking to old and
--- a/src/ChangeLog
+++ b/src/ChangeLog
@ -1,3 +1,8 @@
+2014-10-16  Tim Ruehsen  <tim.ruehsen@gmx.de>
+
+	* gnutls.c (ssl_connect_wget): do not use SSLv3 except explicitely requested
+	* openssl.c (ssl_init): do not use SSLv3 except explicitely requested
+
 2014-05-03  Tim Ruehsen  <tim.ruehsen@gmx.de>

 	* retr.c (retrieve_url): fixed memory leak
--- a/src/gnutls.c
+++ b/src/gnutls.c
@ -433,6 +433,7 @@ ssl_connect_wget (int fd, const char *hostname)
  switch (opt.secure_protocol)
    {
    case secure_protocol_auto:
+      err = gnutls_priority_set_direct (session, "NORMAL:%COMPAT:-VERS-SSL3.0", NULL);
      break;
    case secure_protocol_sslv2:
    case secure_protocol_sslv3:
@ -442,10 +443,10 @@ ssl_connect_wget (int fd, const char *hostname)
      err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0", NULL);
      break;
    case secure_protocol_pfs:
-      err = gnutls_priority_set_direct (session, "PFS", NULL);
+      err = gnutls_priority_set_direct (session, "PFS:-VERS-SSL3.0", NULL);
      if (err != GNUTLS_E_SUCCESS)
        /* fallback if PFS is not available */
-        err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
+        err = gnutls_priority_set_direct (session, "NORMAL:-RSA:-VERS-SSL3.0", NULL);
      break;
    default:
      abort ();
--- a/src/openssl.c
+++ b/src/openssl.c
@ -194,9 +194,6 @@ ssl_init (void)

  switch (opt.secure_protocol)
    {
-    case secure_protocol_auto:
-      meth = SSLv23_client_method ();
-      break;
 #ifndef OPENSSL_NO_SSL2
    case secure_protocol_sslv2:
      meth = SSLv2_client_method ();
@ -205,6 +202,7 @@ ssl_init (void)
    case secure_protocol_sslv3:
      meth = SSLv3_client_method ();
      break;
+    case secure_protocol_auto:
    case secure_protocol_pfs:
    case secure_protocol_tlsv1:
      meth = TLSv1_client_method ();