I've tested below patch and results seems to be good:
for i in www.secure.io www.secure.io:8443 www.amazon.com www.google.com www.facebook.com do for j in auto sslv2 sslv3 tlsv1 tlsv1_1 tlsv1_2 pfs do echo "===> wget -S -O /dev/null --progress dot:mega --secure-protocol $j https://$i/ <===" wget -S -O /dev/null --progress dot:mega --secure-protocol $j https://$i/ echo echo done done However, with sslv2 wget ends up with 'Abort trap (core dumped)'. I did expect that sslv2 will not work, but didn't expect it will core dump. Otherwise it looks good to me. On Wed, Nov 19, 2014 at 10:05:24PM +0100, Jérémie Courr??ges-Anglas wrote: > So, here's a patch that makes wget use TLSv1+ instead of TLSv1.0 by > default - and with --secure-protocol=pfs - while making sure that we > don't accept SSLv[23]. > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/net/wget/Makefile,v > retrieving revision 1.64 > diff -u -p -r1.64 Makefile > --- Makefile 5 Nov 2014 22:11:40 -0000 1.64 > +++ Makefile 19 Nov 2014 20:56:37 -0000 > @@ -3,6 +3,7 @@ > COMMENT = retrieve files from the web via HTTP, HTTPS and FTP > > DISTNAME = wget-1.16 > +REVISION = 0 > CATEGORIES = net > > HOMEPAGE = https://www.gnu.org/software/wget/ > Index: patches/patch-src_openssl_c > =================================================================== > RCS file: /cvs/ports/net/wget/patches/patch-src_openssl_c,v > retrieving revision 1.8 > diff -u -p -r1.8 patch-src_openssl_c > --- patches/patch-src_openssl_c 5 Nov 2014 22:11:40 -0000 1.8 > +++ patches/patch-src_openssl_c 19 Nov 2014 20:21:35 -0000 > @@ -1,6 +1,6 @@ > $OpenBSD: patch-src_openssl_c,v 1.8 2014/11/05 22:11:40 naddy Exp $ > --- src/openssl.c.orig Mon Oct 27 09:15:33 2014 > -+++ src/openssl.c Tue Nov 4 22:27:21 2014 > ++++ src/openssl.c Wed Nov 19 21:21:07 2014 > @@ -89,9 +89,11 @@ init_prng (void) > if (RAND_status ()) > return; > @@ -13,3 +13,32 @@ $OpenBSD: patch-src_openssl_c,v 1.8 2014 > > if (RAND_status ()) > return; > +@@ -201,6 +203,8 @@ ssl_init (void) > + SSLeay_add_all_algorithms (); > + SSLeay_add_ssl_algorithms (); > + > ++ long ssl_options = 0; > ++ > + switch (opt.secure_protocol) > + { > + #ifndef OPENSSL_NO_SSL2 > +@@ -213,6 +217,9 @@ ssl_init (void) > + break; > + case secure_protocol_auto: > + case secure_protocol_pfs: > ++ meth = SSLv23_client_method (); > ++ ssl_options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; > ++ break; > + case secure_protocol_tlsv1: > + meth = TLSv1_client_method (); > + break; > +@@ -233,6 +240,9 @@ ssl_init (void) > + ssl_ctx = SSL_CTX_new ((SSL_METHOD *)meth); > + if (!ssl_ctx) > + goto error; > ++ > ++ if (ssl_options) > ++ SSL_CTX_set_options (ssl_ctx, ssl_options); > + > + /* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html > + * Since we want a good protection, we also use HIGH (that excludes MD4 > ciphers and some more) > -- best regards q#