The problem is that wget --security-protocol=auto and wget --security-protocol=pfs are restricted to the use of TLSv1.0 only. Sites that enforce the use of eg TLSv1.2 are unreachable by default.
The issue was reported by Mikolaj Kucharski, and I have already a fix in the OpenBSD ports tree: http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/wget/patches/patch-src_openssl_c The attached patch fixes this problem. Regards,
From 68a1f70275d3ceefa8f2759c5dc6f6e498e073d6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9mie=20Courr=C3=A8ges-Anglas?= <j...@wxcvbn.org>
Date: Mon, 1 Dec 2014 13:41:59 +0100
Subject: [PATCH 1/2] openssl backend: repair use of TLSv1+ protocols
The use of TLSv1_client_method() means that the protocol used will be
limited to TLSv1.0. This is not desirable for --secure-protocol values
of "auto" (default) and "pfs". Fix by using SSLv23_client_method() and
disabling SSLv[23].
Issue reported by Mikolaj Kucharski.
---
src/openssl.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/openssl.c b/src/openssl.c
index 38c6ac4..81da5a2 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -203,6 +203,8 @@ ssl_init (void)
SSLeay_add_all_algorithms ();
SSLeay_add_ssl_algorithms ();
+ long ssl_options = 0;
+
switch (opt.secure_protocol)
{
#ifndef OPENSSL_NO_SSL2
@@ -219,6 +221,9 @@ ssl_init (void)
case secure_protocol_auto:
case secure_protocol_pfs:
+ meth = SSLv23_client_method ();
+ ssl_options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+ break;
case secure_protocol_tlsv1:
meth = TLSv1_client_method ();
break;
@@ -253,6 +258,9 @@ ssl_init (void)
if (!ssl_ctx)
goto error;
+ if (ssl_options)
+ SSL_CTX_set_options (ssl_ctx, ssl_options);
+
/* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html
* Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more)
*/
--
2.1.3
-- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
signature.asc
Description: PGP signature
