Re: openssl server renogiation bug in wget
Daniel Stenberg <[EMAIL PROTECTED]> writes: > On Fri, 26 Aug 2005, Hrvoje Niksic wrote: > >> + /* The OpenSSL library can handle renegotiations automatically, so >> + tell it to do so. */ >> + SSL_CTX_set_mode (ssl_ctx, SSL_MODE_AUTO_RETRY); >> + > > Just wanted to make sure that you are aware that this option is only > available in OpenSSL 0.9.6 or later? > > I don't remember what oldest OpenSSL version you want to support... Neither do I. :-) But I seem to remember that Wget 1.10 fails on older OpenSSL's because of other things, so requiring 0.9.6 should be fine, I think. As far as I can tell, 0.9.6 was released five years ago -- that's ample time to upgrade. It would be nice for configure to gracefully fail on older OpenSSL's, though.
Re: openssl server renogiation bug in wget
On Fri, 26 Aug 2005, Hrvoje Niksic wrote: + /* The OpenSSL library can handle renegotiations automatically, so + tell it to do so. */ + SSL_CTX_set_mode (ssl_ctx, SSL_MODE_AUTO_RETRY); + Just wanted to make sure that you are aware that this option is only available in OpenSSL 0.9.6 or later? I don't remember what oldest OpenSSL version you want to support... -- -=- Daniel Stenberg -=- http://daniel.haxx.se -=- ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol
Re: openssl server renogiation bug in wget
Thanks for the report; I've applied this patch: 2005-08-26 Jeremy Shapiro <[EMAIL PROTECTED]> * openssl.c (ssl_init): Set SSL_MODE_AUTO_RETRY. Index: openssl.c === --- openssl.c (revision 2063) +++ openssl.c (working copy) @@ -225,6 +225,10 @@ handles them correctly), allow them in OpenSSL. */ SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + /* The OpenSSL library can handle renegotiations automatically, so + tell it to do so. */ + SSL_CTX_set_mode (ssl_ctx, SSL_MODE_AUTO_RETRY); + return true; error:
openssl server renogiation bug in wget
I believe I've encountered a bug in wget. When using https, if the server does a renegotiation handshake wget fails trying to peek for the application data. This occurs because wget does not set the openssl context mode SSL_MODE_AUTO_RETRY. When I added the line: SSL_CTX_set_mode (ssl_ctx, SSL_MODE_AUTO_RETRY); just after the line that sets PARTIAL_WRITE mode in ssl_init() in openssl.c everything worked again. To reproduce, set up an apache server that only does client authentication for a protected directory. When wget does the ssl connect it negotiates the handshake. However, when it sends the request for the restricted directory the server will try to renegotiate with a client authenticated handshake. Wget will fail trying to read the application data, and continually retry. Jeremy