File wget-enforce-tls12.patch of Package wget.37320
Index: wget-1.14/src/openssl.c
===================================================================
--- wget-1.14.orig/src/openssl.c
+++ wget-1.14/src/openssl.c
@@ -185,6 +185,7 @@ ssl_init (void)
switch (opt.secure_protocol)
{
case secure_protocol_auto:
+ case secure_protocol_pfs:
meth = SSLv23_client_method ();
break;
#ifndef OPENSSL_NO_SSL2
@@ -198,6 +199,24 @@ ssl_init (void)
case secure_protocol_tlsv1:
meth = TLSv1_client_method ();
break;
+#if OPENSSL_VERSION_NUMBER >= 0x10001000
+ case secure_protocol_tlsv1_1:
+ meth = TLSv1_1_client_method ();
+ break;
+
+ case secure_protocol_tlsv1_2:
+ meth = TLSv1_2_client_method ();
+ break;
+#else
+ case secure_protocol_tlsv1_1:
+ logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.1\n"));
+ goto error;
+
+ case secure_protocol_tlsv1_2:
+ logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.2\n"));
+ goto error;
+#endif
+
default:
abort ();
}
Index: wget-1.14/src/options.h
===================================================================
--- wget-1.14.orig/src/options.h
+++ wget-1.14/src/options.h
@@ -200,7 +200,10 @@ struct options
secure_protocol_auto,
secure_protocol_sslv2,
secure_protocol_sslv3,
- secure_protocol_tlsv1
+ secure_protocol_tlsv1,
+ secure_protocol_tlsv1_1,
+ secure_protocol_tlsv1_2,
+ secure_protocol_pfs
} secure_protocol; /* type of secure protocol to use. */
bool check_cert; /* whether to validate the server's cert */
char *cert_file; /* external client certificate to use. */
Index: wget-1.14/src/init.c
===================================================================
--- wget-1.14.orig/src/init.c
+++ wget-1.14/src/init.c
@@ -1488,6 +1488,11 @@ cmd_spec_secure_protocol (const char *co
{ "sslv2", secure_protocol_sslv2 },
{ "sslv3", secure_protocol_sslv3 },
{ "tlsv1", secure_protocol_tlsv1 },
+ { "tlsv1.1", secure_protocol_tlsv1_1 },
+ { "tlsv1.2", secure_protocol_tlsv1_2 },
+ { "tlsv1_1", secure_protocol_tlsv1_1 },
+ { "tlsv1_2", secure_protocol_tlsv1_2 },
+ { "pfs", secure_protocol_pfs },
};
int ok = decode_string (val, choices, countof (choices), place);
if (!ok)
Index: wget-1.14/src/main.c
===================================================================
--- wget-1.14.orig/src/main.c
+++ wget-1.14/src/main.c
@@ -625,7 +625,7 @@ HTTP options:\n"),
HTTPS (SSL/TLS) options:\n"),
N_("\
--secure-protocol=PR choose secure protocol, one of auto, SSLv2,\n\
- SSLv3, and TLSv1.\n"),
+ SSLv3, TLSv1, TLSv1.1, and TLSv1.2.\n"),
N_("\
--no-check-certificate don't validate the server's certificate.\n"),
N_("\
Index: wget-1.14/doc/wget.texi
===================================================================
--- wget-1.14.orig/doc/wget.texi
+++ wget-1.14/doc/wget.texi
@@ -1549,12 +1549,15 @@ without SSL support, none of these optio
@cindex SSL protocol, choose
@item --secure-protocol=@var{protocol}
Choose the secure protocol to be used. Legal values are @samp{auto},
-@samp{SSLv2}, @samp{SSLv3}, and @samp{TLSv1}. If @samp{auto} is used,
+@samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1}, and
+@samp{TLSv1_2} (@samp{TLSv1.1} and @samp{TLSv1.2} are acceptable
+aliases for the latter two). If @samp{auto} is used,
the SSL library is given the liberty of choosing the appropriate
protocol automatically, which is achieved by sending an SSLv2 greeting
and announcing support for SSLv3 and TLSv1. This is the default.
-Specifying @samp{SSLv2}, @samp{SSLv3}, or @samp{TLSv1} forces the use
+Specifying @samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1},
+or @samp{TLSv1_2} forces the use
of the corresponding protocol. This is useful when talking to old and
buggy SSL server implementations that make it hard for OpenSSL to
choose the correct protocol version. Fortunately, such servers are
@@ -3215,7 +3218,8 @@ Same as @samp{--save-headers}.
@item secure_protocol = @var{string}
Choose the secure protocol to be used. Legal values are @samp{auto}
-(the default), @samp{SSLv2}, @samp{SSLv3}, and @samp{TLSv1}. The same
+(the default), @samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1},
+and @samp{TLSv1_2}. The same
as @samp{--secure-protocol=@var{string}}.
@item server_response = on/off
