moparisthebest/wget
1
0
Fork 0
mirror of https://github.com/moparisthebest/wget synced 2024-07-03 16:38:41 -04:00
Code Issues Releases Wiki Activity

do not use SSLv3 except explicitely requested

Browse Source
This commit is contained in:
Tim Ruehsen 2014-10-16 20:44:56 +02:00
parent ff876a3710
commit 6fc11e46ec
5 changed files with 15 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/ChangeLog
View File

@ -1,3 +1,7 @@
2014-10-16 Tim Ruehsen <tim.ruehsen@gmx.de>
* wget.texi (Download Options): update --secure-protocol description
2014-08-03 Giuseppe Scrivano <gscrivano@gnu.org> 2014-08-03 Giuseppe Scrivano <gscrivano@gnu.org>
* wget.texi (Download Options): Fix texinfo warning. * wget.texi (Download Options): Fix texinfo warning.

4
doc/wget.texi
View File

@ -1643,8 +1643,8 @@ without SSL support, none of these options are available.
Choose the secure protocol to be used. Legal values are @samp{auto}, Choose the secure protocol to be used. Legal values are @samp{auto},
@samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1} and @samp{PFS}. If @samp{auto} @samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1} and @samp{PFS}. If @samp{auto}
is used, the SSL library is given the liberty of choosing the appropriate is used, the SSL library is given the liberty of choosing the appropriate
protocol automatically, which is achieved by sending an SSLv2 greeting protocol automatically, which is achieved by sending an TLSv1 greeting.
and announcing support for SSLv3 and TLSv1. This is the default. This is the default.
Specifying @samp{SSLv2}, @samp{SSLv3}, or @samp{TLSv1} forces the use Specifying @samp{SSLv2}, @samp{SSLv3}, or @samp{TLSv1} forces the use
of the corresponding protocol. This is useful when talking to old and of the corresponding protocol. This is useful when talking to old and

5
src/ChangeLog
View File

@ -1,3 +1,8 @@
2014-10-16 Tim Ruehsen <tim.ruehsen@gmx.de>
* gnutls.c (ssl_connect_wget): do not use SSLv3 except explicitely requested
* openssl.c (ssl_init): do not use SSLv3 except explicitely requested
2014-05-03 Tim Ruehsen <tim.ruehsen@gmx.de> 2014-05-03 Tim Ruehsen <tim.ruehsen@gmx.de>
* retr.c (retrieve_url): fixed memory leak * retr.c (retrieve_url): fixed memory leak

5
src/gnutls.c
View File

@ -433,6 +433,7 @@ ssl_connect_wget (int fd, const char *hostname)
switch (opt.secure_protocol) switch (opt.secure_protocol)
{ {
case secure_protocol_auto: case secure_protocol_auto:
err = gnutls_priority_set_direct (session, "NORMAL:%COMPAT:-VERS-SSL3.0", NULL);
break; break;
case secure_protocol_sslv2: case secure_protocol_sslv2:
case secure_protocol_sslv3: case secure_protocol_sslv3:
@ -442,10 +443,10 @@ ssl_connect_wget (int fd, const char *hostname)
err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0", NULL); err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0", NULL);
break; break;
case secure_protocol_pfs: case secure_protocol_pfs:
err = gnutls_priority_set_direct (session, "PFS", NULL); err = gnutls_priority_set_direct (session, "PFS:-VERS-SSL3.0", NULL);
if (err != GNUTLS_E_SUCCESS) if (err != GNUTLS_E_SUCCESS)
/* fallback if PFS is not available */ /* fallback if PFS is not available */
err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL); err = gnutls_priority_set_direct (session, "NORMAL:-RSA:-VERS-SSL3.0", NULL);
break; break;
default: default:
abort (); abort ();

4
src/openssl.c
View File

@ -194,9 +194,6 @@ ssl_init (void)
switch (opt.secure_protocol) switch (opt.secure_protocol)
{ {
case secure_protocol_auto:
meth = SSLv23_client_method ();
break;
#ifndef OPENSSL_NO_SSL2 #ifndef OPENSSL_NO_SSL2
case secure_protocol_sslv2: case secure_protocol_sslv2:
meth = SSLv2_client_method (); meth = SSLv2_client_method ();
@ -205,6 +202,7 @@ ssl_init (void)
case secure_protocol_sslv3: case secure_protocol_sslv3:
meth = SSLv3_client_method (); meth = SSLv3_client_method ();
break; break;
case secure_protocol_auto:
case secure_protocol_pfs: case secure_protocol_pfs:
case secure_protocol_tlsv1: case secure_protocol_tlsv1:
meth = TLSv1_client_method (); meth = TLSv1_client_method ();