Re: wget - SSL handshake failed

Wed, 19 Nov 2014 13:12:12 -0800 

Mikolaj Kucharski <miko...@kucharski.name> writes:

> I can confirm that below diff, makes wget work on TLSv1.2-only site again.

Thanks for confirming.

So, here's a patch that makes wget use TLSv1+ instead of TLSv1.0 by
default - and with --secure-protocol=pfs - while making sure that we
don't accept SSLv[23].

Index: Makefile
===================================================================
RCS file: /cvs/ports/net/wget/Makefile,v
retrieving revision 1.64
diff -u -p -r1.64 Makefile
--- Makefile    5 Nov 2014 22:11:40 -0000       1.64
+++ Makefile    19 Nov 2014 20:56:37 -0000
@@ -3,6 +3,7 @@
 COMMENT =      retrieve files from the web via HTTP, HTTPS and FTP
 
 DISTNAME =     wget-1.16
+REVISION =     0
 CATEGORIES =   net
 
 HOMEPAGE =     https://www.gnu.org/software/wget/
Index: patches/patch-src_openssl_c
===================================================================
RCS file: /cvs/ports/net/wget/patches/patch-src_openssl_c,v
retrieving revision 1.8
diff -u -p -r1.8 patch-src_openssl_c
--- patches/patch-src_openssl_c 5 Nov 2014 22:11:40 -0000       1.8
+++ patches/patch-src_openssl_c 19 Nov 2014 20:21:35 -0000
@@ -1,6 +1,6 @@
 $OpenBSD: patch-src_openssl_c,v 1.8 2014/11/05 22:11:40 naddy Exp $
 --- src/openssl.c.orig Mon Oct 27 09:15:33 2014
-+++ src/openssl.c      Tue Nov  4 22:27:21 2014
++++ src/openssl.c      Wed Nov 19 21:21:07 2014
 @@ -89,9 +89,11 @@ init_prng (void)
    if (RAND_status ())
      return;
@@ -13,3 +13,32 @@ $OpenBSD: patch-src_openssl_c,v 1.8 2014
  
    if (RAND_status ())
      return;
+@@ -201,6 +203,8 @@ ssl_init (void)
+   SSLeay_add_all_algorithms ();
+   SSLeay_add_ssl_algorithms ();
+ 
++  long ssl_options = 0;
++
+   switch (opt.secure_protocol)
+     {
+ #ifndef OPENSSL_NO_SSL2
+@@ -213,6 +217,9 @@ ssl_init (void)
+       break;
+     case secure_protocol_auto:
+     case secure_protocol_pfs:
++      meth = SSLv23_client_method ();
++      ssl_options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
++      break;
+     case secure_protocol_tlsv1:
+       meth = TLSv1_client_method ();
+       break;
+@@ -233,6 +240,9 @@ ssl_init (void)
+   ssl_ctx = SSL_CTX_new ((SSL_METHOD *)meth);
+   if (!ssl_ctx)
+     goto error;
++
++  if (ssl_options)
++    SSL_CTX_set_options (ssl_ctx, ssl_options);
+ 
+   /* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html
+    * Since we want a good protection, we also use HIGH (that excludes MD4 
ciphers and some more)


-- 
jca | PGP: 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply via email to