Re: wget - SSL handshake failed

Wed, 19 Nov 2014 15:36:12 -0800 

I've tested below patch and results seems to be good:


for i in www.secure.io www.secure.io:8443 www.amazon.com www.google.com 
www.facebook.com
do
  for j in auto sslv2 sslv3 tlsv1 tlsv1_1 tlsv1_2 pfs
  do
    echo "===> wget -S -O /dev/null --progress dot:mega --secure-protocol $j 
https://$i/ <==="
    wget -S -O /dev/null --progress dot:mega --secure-protocol $j https://$i/
    echo
    echo
  done
done


However, with sslv2 wget ends up with 'Abort trap (core dumped)'. I did
expect that sslv2 will not work, but didn't expect it will core dump.
Otherwise it looks good to me.



On Wed, Nov 19, 2014 at 10:05:24PM +0100, Jérémie Courr??ges-Anglas wrote:
> So, here's a patch that makes wget use TLSv1+ instead of TLSv1.0 by
> default - and with --secure-protocol=pfs - while making sure that we
> don't accept SSLv[23].
> 
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/net/wget/Makefile,v
> retrieving revision 1.64
> diff -u -p -r1.64 Makefile
> --- Makefile  5 Nov 2014 22:11:40 -0000       1.64
> +++ Makefile  19 Nov 2014 20:56:37 -0000
> @@ -3,6 +3,7 @@
>  COMMENT =    retrieve files from the web via HTTP, HTTPS and FTP
>  
>  DISTNAME =   wget-1.16
> +REVISION =   0
>  CATEGORIES = net
>  
>  HOMEPAGE =   https://www.gnu.org/software/wget/
> Index: patches/patch-src_openssl_c
> ===================================================================
> RCS file: /cvs/ports/net/wget/patches/patch-src_openssl_c,v
> retrieving revision 1.8
> diff -u -p -r1.8 patch-src_openssl_c
> --- patches/patch-src_openssl_c       5 Nov 2014 22:11:40 -0000       1.8
> +++ patches/patch-src_openssl_c       19 Nov 2014 20:21:35 -0000
> @@ -1,6 +1,6 @@
>  $OpenBSD: patch-src_openssl_c,v 1.8 2014/11/05 22:11:40 naddy Exp $
>  --- src/openssl.c.orig       Mon Oct 27 09:15:33 2014
> -+++ src/openssl.c    Tue Nov  4 22:27:21 2014
> ++++ src/openssl.c    Wed Nov 19 21:21:07 2014
>  @@ -89,9 +89,11 @@ init_prng (void)
>     if (RAND_status ())
>       return;
> @@ -13,3 +13,32 @@ $OpenBSD: patch-src_openssl_c,v 1.8 2014
>   
>     if (RAND_status ())
>       return;
> +@@ -201,6 +203,8 @@ ssl_init (void)
> +   SSLeay_add_all_algorithms ();
> +   SSLeay_add_ssl_algorithms ();
> + 
> ++  long ssl_options = 0;
> ++
> +   switch (opt.secure_protocol)
> +     {
> + #ifndef OPENSSL_NO_SSL2
> +@@ -213,6 +217,9 @@ ssl_init (void)
> +       break;
> +     case secure_protocol_auto:
> +     case secure_protocol_pfs:
> ++      meth = SSLv23_client_method ();
> ++      ssl_options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
> ++      break;
> +     case secure_protocol_tlsv1:
> +       meth = TLSv1_client_method ();
> +       break;
> +@@ -233,6 +240,9 @@ ssl_init (void)
> +   ssl_ctx = SSL_CTX_new ((SSL_METHOD *)meth);
> +   if (!ssl_ctx)
> +     goto error;
> ++
> ++  if (ssl_options)
> ++    SSL_CTX_set_options (ssl_ctx, ssl_options);
> + 
> +   /* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html
> +    * Since we want a good protection, we also use HIGH (that excludes MD4 
> ciphers and some more)
> 

-- 
best regards
q#

Reply via email to