File wget-enforce-tls12.patch of Package wget.3159

Overview Repositories Revisions Requests Users Attributes Meta

File wget-enforce-tls12.patch of Package wget.3159

Index: wget-1.14/src/openssl.c
===================================================================
--- wget-1.14.orig/src/openssl.c
+++ wget-1.14/src/openssl.c
@@ -185,6 +185,7 @@ ssl_init (void)
   switch (opt.secure_protocol)
     {
     case secure_protocol_auto:
+    case secure_protocol_pfs:
       meth = SSLv23_client_method ();
       break;
 #ifndef OPENSSL_NO_SSL2
@@ -198,6 +199,24 @@ ssl_init (void)
     case secure_protocol_tlsv1:
       meth = TLSv1_client_method ();
       break;
+#if OPENSSL_VERSION_NUMBER >= 0x10001000
+    case secure_protocol_tlsv1_1:
+      meth = TLSv1_1_client_method ();
+      break;
+
+    case secure_protocol_tlsv1_2:
+      meth = TLSv1_2_client_method ();
+      break;
+#else
+    case secure_protocol_tlsv1_1:
+      logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.1\n"));
+      goto error;
+
+    case secure_protocol_tlsv1_2:
+      logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.2\n"));
+      goto error;
+#endif
+
     default:
       abort ();
     }
Index: wget-1.14/src/options.h
===================================================================
--- wget-1.14.orig/src/options.h
+++ wget-1.14/src/options.h
@@ -200,7 +200,10 @@ struct options
     secure_protocol_auto,
     secure_protocol_sslv2,
     secure_protocol_sslv3,
-    secure_protocol_tlsv1
+    secure_protocol_tlsv1,
+    secure_protocol_tlsv1_1,
+    secure_protocol_tlsv1_2,
+    secure_protocol_pfs
   } secure_protocol;		/* type of secure protocol to use. */
   bool check_cert;		/* whether to validate the server's cert */
   char *cert_file;		/* external client certificate to use. */
Index: wget-1.14/src/init.c
===================================================================
--- wget-1.14.orig/src/init.c
+++ wget-1.14/src/init.c
@@ -1488,6 +1488,11 @@ cmd_spec_secure_protocol (const char *co
     { "sslv2", secure_protocol_sslv2 },
     { "sslv3", secure_protocol_sslv3 },
     { "tlsv1", secure_protocol_tlsv1 },
+    { "tlsv1.1", secure_protocol_tlsv1_1 },
+    { "tlsv1.2", secure_protocol_tlsv1_2 },
+    { "tlsv1_1", secure_protocol_tlsv1_1 },
+    { "tlsv1_2", secure_protocol_tlsv1_2 },
+    { "pfs", secure_protocol_pfs },
   };
   int ok = decode_string (val, choices, countof (choices), place);
   if (!ok)
Index: wget-1.14/src/main.c
===================================================================
--- wget-1.14.orig/src/main.c
+++ wget-1.14/src/main.c
@@ -625,7 +625,7 @@ HTTP options:\n"),
 HTTPS (SSL/TLS) options:\n"),
     N_("\
        --secure-protocol=PR     choose secure protocol, one of auto, SSLv2,\n\
-                                SSLv3, and TLSv1.\n"),
+                                SSLv3, TLSv1, TLSv1.1, and TLSv1.2.\n"),
     N_("\
        --no-check-certificate   don't validate the server's certificate.\n"),
     N_("\
Index: wget-1.14/doc/wget.texi
===================================================================
--- wget-1.14.orig/doc/wget.texi
+++ wget-1.14/doc/wget.texi
@@ -1549,12 +1549,15 @@ without SSL support, none of these optio
 @cindex SSL protocol, choose
 @item --secure-protocol=@var{protocol}
 Choose the secure protocol to be used.  Legal values are @samp{auto},
-@samp{SSLv2}, @samp{SSLv3}, and @samp{TLSv1}.  If @samp{auto} is used,
+@samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1}, and
+@samp{TLSv1_2} (@samp{TLSv1.1} and @samp{TLSv1.2} are acceptable
+aliases for the latter two). If @samp{auto} is used,
 the SSL library is given the liberty of choosing the appropriate
 protocol automatically, which is achieved by sending an SSLv2 greeting
 and announcing support for SSLv3 and TLSv1.  This is the default.
 
-Specifying @samp{SSLv2}, @samp{SSLv3}, or @samp{TLSv1} forces the use
+Specifying @samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1},
+or @samp{TLSv1_2} forces the use
 of the corresponding protocol.  This is useful when talking to old and
 buggy SSL server implementations that make it hard for OpenSSL to
 choose the correct protocol version.  Fortunately, such servers are
@@ -3215,7 +3218,8 @@ Same as @samp{--save-headers}.
 
 @item secure_protocol = @var{string}
 Choose the secure protocol to be used.  Legal values are @samp{auto}
-(the default), @samp{SSLv2}, @samp{SSLv3}, and @samp{TLSv1}.  The same
+(the default), @samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1},
+and @samp{TLSv1_2}.  The same
 as @samp{--secure-protocol=@var{string}}.
 
 @item server_response = on/off

Places

File wget-enforce-tls12.patch of Package wget.3159

Places