added PFS to --secure-protocol

2025-02-11 20:30:45 +08:00 · 2013-09-03 11:49:01 +02:00 · 2013-09-03 11:49:01 +02:00 · e505664ef3
commit e505664ef3
parent e6123ed645
9 changed files with 43 additions and 7 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,3 +1,8 @@
 2013-09-04  Tim Ruehsen  <tim.ruehsen@gmx.de>
 	* sample.wgetrc: added "secureprotocol" example
 	* wget.texi (HTTPS (SSL/TLS) Options): Document PFS.
 2013-08-23  Tim Ruehsen  <tim.ruehsen@gmx.de>
 	* sample.wgetrc: added "httpsonly" example
--- a/doc/sample.wgetrc
+++ b/doc/sample.wgetrc
@ -126,3 +126,6 @@
 # Turn on to prevent following non-HTTPS links when in recursive mode
 #httpsonly = off
 # Tune HTTPS security (auto, SSLv2, SSLv3, TLSv1, PFS)
 #secureprotocol = auto
--- a/doc/wget.texi
+++ b/doc/wget.texi
@ -1595,16 +1595,21 @@ without SSL support, none of these options are available.
@cindex SSL protocol, choose
@item --secure-protocol=@var{protocol}
 Choose the secure protocol to be used.  Legal values are @samp{auto},
-@samp{SSLv2}, @samp{SSLv3}, and @samp{TLSv1}.  If @samp{auto} is used,
+@samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1} and @samp{PFS}.  If @samp{auto}
-the SSL library is given the liberty of choosing the appropriate
+is used, the SSL library is given the liberty of choosing the appropriate
 protocol automatically, which is achieved by sending an SSLv2 greeting
 and announcing support for SSLv3 and TLSv1.  This is the default.
 Specifying @samp{SSLv2}, @samp{SSLv3}, or @samp{TLSv1} forces the use
 of the corresponding protocol.  This is useful when talking to old and
-buggy SSL server implementations that make it hard for OpenSSL to
+buggy SSL server implementations that make it hard for the underlying
-choose the correct protocol version.  Fortunately, such servers are
+SSL library to choose the correct protocol version.  Fortunately, such
-quite rare.
+servers are quite rare.
 Specifying @samp{PFS} enforces the use of the so-called Perfect Forward
 Security cipher suites. In short, PFS adds security by creating a one-time
 key for each SSL connection. It has a bit more CPU impact on client and server.
 We use known to be secure ciphers (e.g. no MD4) and the TLS protocol.
@item --https-only
 When in recursive mode, only HTTPS links are followed.
--- a/src/ChangeLog
+++ b/src/ChangeLog
@ -1,3 +1,10 @@
 2013-09-03  Tim Ruehsen  <tim.ruehsen@gmx.de>
 	* main.c: Add new value 'PFS' to --secure-protocol to
 	  enforce the so-called Perfect Forward Security.
 	* init.c (cmd_spec_secure_protocol): added secure_protocol_pfs
 	* openssl.c, gnutls.c, options.h: likewise
 2013-08-22  Tim Ruehsen  <tim.ruehsen@gmx.de>
 	* main.c: Add new option --https-only.
--- a/src/gnutls.c
+++ b/src/gnutls.c
@ -442,6 +442,13 @@ ssl_connect_wget (int fd, const char *hostname)
    case secure_protocol_tlsv1:
      err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0", NULL);
      break;
    case secure_protocol_pfs:
 #if defined (GNUTLS_VERSION_NUMBER) && GNUTLS_VERSION_NUMBER >= 0x030204
      err = gnutls_priority_set_direct (session, "PFS", NULL);
 #else
      err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
 #endif
      break;
    default:
      abort ();
    }
--- a/src/init.c
+++ b/src/init.c
@ -1497,6 +1497,7 @@ cmd_spec_secure_protocol (const char *com, const char *val, void *place)
    { "sslv2", secure_protocol_sslv2 },
    { "sslv3", secure_protocol_sslv3 },
    { "tlsv1", secure_protocol_tlsv1 },
    { "pfs", secure_protocol_pfs },
  };
  int ok = decode_string (val, choices, countof (choices), place);
  if (!ok)
--- a/src/main.c
+++ b/src/main.c
@ -635,7 +635,7 @@ HTTP options:\n"),
 HTTPS (SSL/TLS) options:\n"),
    N_("\
       --secure-protocol=PR     choose secure protocol, one of auto, SSLv2,\n\
-                                SSLv3, and TLSv1.\n"),
+                                SSLv3, TLSv1 and PFS.\n"),
    N_("\
       --https-only             only follow secure HTTPS links\n"),
    N_("\
--- a/src/openssl.c
+++ b/src/openssl.c
@ -194,6 +194,7 @@ ssl_init (void)
    case secure_protocol_sslv3:
      meth = SSLv3_client_method ();
      break;
    case secure_protocol_pfs:
    case secure_protocol_tlsv1:
      meth = TLSv1_client_method ();
      break;
@ -207,6 +208,12 @@ ssl_init (void)
  if (!ssl_ctx)
    goto error;
  /* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html
   * Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more)
   */
  if (opt.secure_protocol == secure_protocol_pfs)
    SSL_CTX_set_cipher_list (ssl_ctx, "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:!aNULL@STRENGTH");
  SSL_CTX_set_default_verify_paths (ssl_ctx);
  SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
--- a/src/options.h
+++ b/src/options.h
@ -200,7 +200,8 @@ struct options
    secure_protocol_auto,
    secure_protocol_sslv2,
    secure_protocol_sslv3,
-    secure_protocol_tlsv1
+    secure_protocol_tlsv1,
    secure_protocol_pfs
  } secure_protocol;		/* type of secure protocol to use. */
  bool check_cert;		/* whether to validate the server's cert */
  char *cert_file;		/* external client certificate to use. */