From bca3e7ea1e430de4fcbc15daad60e8a2953e3a61 Mon Sep 17 00:00:00 2001 From: Tim Ruehsen Date: Thu, 16 Oct 2014 20:44:56 +0200 Subject: [PATCH] do not use SSLv3 except explicitely requested --- doc/ChangeLog | 4 ++++ doc/wget.texi | 4 ++-- src/ChangeLog | 5 +++++ src/gnutls.c | 5 +++-- src/openssl.c | 4 +--- 5 files changed, 15 insertions(+), 7 deletions(-) diff --git a/doc/ChangeLog b/doc/ChangeLog index f055fa5..dd43162 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,7 @@ +2014-10-16 Tim Ruehsen + + * wget.texi (Download Options): update --secure-protocol description + 2014-08-03 Giuseppe Scrivano * wget.texi (Download Options): Fix texinfo warning. diff --git a/doc/wget.texi b/doc/wget.texi index a31eb5e..1e1dd36 100644 --- a/doc/wget.texi +++ b/doc/wget.texi @@ -1643,8 +1643,8 @@ without SSL support, none of these options are available. Choose the secure protocol to be used. Legal values are @samp{auto}, @samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1} and @samp{PFS}. If @samp{auto} is used, the SSL library is given the liberty of choosing the appropriate -protocol automatically, which is achieved by sending an SSLv2 greeting -and announcing support for SSLv3 and TLSv1. This is the default. +protocol automatically, which is achieved by sending an TLSv1 greeting. +This is the default. Specifying @samp{SSLv2}, @samp{SSLv3}, or @samp{TLSv1} forces the use of the corresponding protocol. This is useful when talking to old and diff --git a/src/ChangeLog b/src/ChangeLog index 1c4e2d5..db4cd04 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2014-10-16 Tim Ruehsen + + * gnutls.c (ssl_connect_wget): do not use SSLv3 except explicitely requested + * openssl.c (ssl_init): do not use SSLv3 except explicitely requested + 2014-05-03 Tim Ruehsen * retr.c (retrieve_url): fixed memory leak diff --git a/src/gnutls.c b/src/gnutls.c index c09b7a2..75627e1 100644 --- a/src/gnutls.c +++ b/src/gnutls.c @@ -436,6 +436,7 @@ ssl_connect_wget (int fd, const char *hostname) switch (opt.secure_protocol) { case secure_protocol_auto: + err = gnutls_priority_set_direct (session, "NORMAL:%COMPAT:-VERS-SSL3.0", NULL); break; case secure_protocol_sslv2: case secure_protocol_sslv3: @@ -445,10 +446,10 @@ ssl_connect_wget (int fd, const char *hostname) err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0", NULL); break; case secure_protocol_pfs: - err = gnutls_priority_set_direct (session, "PFS", NULL); + err = gnutls_priority_set_direct (session, "PFS:-VERS-SSL3.0", NULL); if (err != GNUTLS_E_SUCCESS) /* fallback if PFS is not available */ - err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL); + err = gnutls_priority_set_direct (session, "NORMAL:-RSA:-VERS-SSL3.0", NULL); break; default: abort (); diff --git a/src/openssl.c b/src/openssl.c index 879b27e..4145987 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -194,9 +194,6 @@ ssl_init (void) switch (opt.secure_protocol) { - case secure_protocol_auto: - meth = SSLv23_client_method (); - break; #ifndef OPENSSL_NO_SSL2 case secure_protocol_sslv2: meth = SSLv2_client_method (); @@ -205,6 +202,7 @@ ssl_init (void) case secure_protocol_sslv3: meth = SSLv3_client_method (); break; + case secure_protocol_auto: case secure_protocol_pfs: case secure_protocol_tlsv1: meth = TLSv1_client_method (); -- 2.1.1