The problem is that wget --security-protocol=auto and wget --security-protocol=pfs are restricted to the use of TLSv1.0 only. Sites that enforce the use of eg TLSv1.2 are unreachable by default.
The issue was reported by Mikolaj Kucharski, and I have already a fix in the OpenBSD ports tree: http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/wget/patches/patch-src_openssl_c The attached patch fixes this problem. Regards,
From 68a1f70275d3ceefa8f2759c5dc6f6e498e073d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9mie=20Courr=C3=A8ges-Anglas?= <j...@wxcvbn.org> Date: Mon, 1 Dec 2014 13:41:59 +0100 Subject: [PATCH 1/2] openssl backend: repair use of TLSv1+ protocols The use of TLSv1_client_method() means that the protocol used will be limited to TLSv1.0. This is not desirable for --secure-protocol values of "auto" (default) and "pfs". Fix by using SSLv23_client_method() and disabling SSLv[23]. Issue reported by Mikolaj Kucharski. --- src/openssl.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/openssl.c b/src/openssl.c index 38c6ac4..81da5a2 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -203,6 +203,8 @@ ssl_init (void) SSLeay_add_all_algorithms (); SSLeay_add_ssl_algorithms (); + long ssl_options = 0; + switch (opt.secure_protocol) { #ifndef OPENSSL_NO_SSL2 @@ -219,6 +221,9 @@ ssl_init (void) case secure_protocol_auto: case secure_protocol_pfs: + meth = SSLv23_client_method (); + ssl_options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + break; case secure_protocol_tlsv1: meth = TLSv1_client_method (); break; @@ -253,6 +258,9 @@ ssl_init (void) if (!ssl_ctx) goto error; + if (ssl_options) + SSL_CTX_set_options (ssl_ctx, ssl_options); + /* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html * Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more) */ -- 2.1.3
-- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
signature.asc
Description: PGP signature