Stuart Henderson <st...@openbsd.org> writes: > On 2014/11/19 08:16, Kent Fritz wrote: >> Wget is only sending TLS 1.0 in client hello, and the server is >> refusing. This seems to be a problem with the port, as wget 1.14 on >> my Linux box sends a TLS 1.2 hello, as does wget on OpenBSD 5.4 (also >> 1.14). > > This is fallout from our OPENSSL_VERSION_NUMBER string, ENOTIME to fix > it now, but check out src/openssl.c. > > 221 #if OPENSSL_VERSION_NUMBER >= 0x01001000 > 222 case secure_protocol_tlsv1_1: > 223 meth = TLSv1_1_client_method (); > 224 break; > 225 case secure_protocol_tlsv1_2: > 226 meth = TLSv1_2_client_method (); > 227 break; > 228 #endif
Hmm, I'm not sure. Here's the diff between wget-1.15 and wget-1.16: --8<-- switch (opt.secure_protocol) { - case secure_protocol_auto: - meth = SSLv23_client_method (); - break; #ifndef OPENSSL_NO_SSL2 case secure_protocol_sslv2: meth = SSLv2_client_method (); break; #endif case secure_protocol_sslv3: meth = SSLv3_client_method (); break; + case secure_protocol_auto: case secure_protocol_pfs: case secure_protocol_tlsv1: meth = TLSv1_client_method (); break; +#if OPENSSL_VERSION_NUMBER >= 0x01001000 + case secure_protocol_tlsv1_1: + meth = TLSv1_1_client_method (); + break; + case secure_protocol_tlsv1_2: + meth = TLSv1_2_client_method (); + break; +#endif default: abort (); } -->8-- TLSv1_client_method() forces the use of TLSv1.0 only. oops. wget --secure-protocol=tlsv1_2 --debug -O /dev/null \ https://www.secure.io/ works fine, --secure-protocol=tlsv1_1 fails (appropriately according to the OP's nginx config). IMO "auto" should use SSLv23_client_method(). Same for "pfs" which only touches the selected ciphers. Temporary patch below. Index: patches/patch-src_openssl_c =================================================================== RCS file: /cvs/ports/net/wget/patches/patch-src_openssl_c,v retrieving revision 1.8 diff -u -p -r1.8 patch-src_openssl_c --- patches/patch-src_openssl_c 5 Nov 2014 22:11:40 -0000 1.8 +++ patches/patch-src_openssl_c 19 Nov 2014 19:17:15 -0000 @@ -1,6 +1,6 @@ $OpenBSD: patch-src_openssl_c,v 1.8 2014/11/05 22:11:40 naddy Exp $ --- src/openssl.c.orig Mon Oct 27 09:15:33 2014 -+++ src/openssl.c Tue Nov 4 22:27:21 2014 ++++ src/openssl.c Wed Nov 19 20:17:05 2014 @@ -89,9 +89,11 @@ init_prng (void) if (RAND_status ()) return; @@ -13,3 +13,12 @@ $OpenBSD: patch-src_openssl_c,v 1.8 2014 if (RAND_status ()) return; +@@ -213,6 +215,8 @@ ssl_init (void) + break; + case secure_protocol_auto: + case secure_protocol_pfs: ++ meth = SSLv23_client_method (); ++ break; + case secure_protocol_tlsv1: + meth = TLSv1_client_method (); + break; -- jca | PGP: 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE