|
 |
226bdc |
diff --git a/doc/wget.texi b/doc/wget.texi
|
|
|
226bdc |
index 118fce9..3bd8dd7 100644
|
|
|
226bdc |
--- a/doc/wget.texi
|
|
|
226bdc |
+++ b/doc/wget.texi
|
|
|
226bdc |
@@ -1555,16 +1555,17 @@ without SSL support, none of these options are available.
|
|
|
226bdc |
@cindex SSL protocol, choose
|
|
|
226bdc |
@item --secure-protocol=@var{protocol}
|
|
|
226bdc |
Choose the secure protocol to be used. Legal values are @samp{auto},
|
|
|
226bdc |
-@samp{SSLv2}, @samp{SSLv3}, and @samp{TLSv1}. If @samp{auto} is used,
|
|
|
226bdc |
-the SSL library is given the liberty of choosing the appropriate
|
|
|
226bdc |
-protocol automatically, which is achieved by sending an SSLv2 greeting
|
|
|
226bdc |
-and announcing support for SSLv3 and TLSv1. This is the default.
|
|
|
226bdc |
-
|
|
|
226bdc |
-Specifying @samp{SSLv2}, @samp{SSLv3}, or @samp{TLSv1} forces the use
|
|
|
226bdc |
-of the corresponding protocol. This is useful when talking to old and
|
|
|
226bdc |
-buggy SSL server implementations that make it hard for OpenSSL to
|
|
|
226bdc |
-choose the correct protocol version. Fortunately, such servers are
|
|
|
226bdc |
-quite rare.
|
|
|
226bdc |
+@samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1} and
|
|
|
226bdc |
+@samp{TLSv1_2}. If @samp{auto} is used, the SSL library is given the
|
|
|
226bdc |
+liberty of choosing the appropriate protocol automatically, which is
|
|
|
226bdc |
+achieved by sending a SSLv2 greeting and announcing support for SSLv3
|
|
|
226bdc |
+and TLSv1. This is the default.
|
|
|
226bdc |
+
|
|
|
226bdc |
+Specifying @samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1} or
|
|
|
226bdc |
+@samp{TLSv1_2} forces the use of the corresponding protocol. This is
|
|
|
226bdc |
+useful when talking to old and buggy SSL server implementations that
|
|
|
226bdc |
+make it hard for the underlying SSL library to choose the correct
|
|
|
226bdc |
+protocol version. Fortunately, such servers are quite rare.
|
|
|
226bdc |
|
|
|
226bdc |
@cindex SSL certificate, check
|
|
|
226bdc |
@item --no-check-certificate
|
|
|
226bdc |
diff --git a/src/init.c b/src/init.c
|
|
|
226bdc |
index 4cee677..f160bec 100644
|
|
|
226bdc |
--- a/src/init.c
|
|
|
226bdc |
+++ b/src/init.c
|
|
|
226bdc |
@@ -1488,6 +1488,8 @@ cmd_spec_secure_protocol (const char *com, const char *val, void *place)
|
|
|
226bdc |
{ "sslv2", secure_protocol_sslv2 },
|
|
|
226bdc |
{ "sslv3", secure_protocol_sslv3 },
|
|
|
226bdc |
{ "tlsv1", secure_protocol_tlsv1 },
|
|
|
226bdc |
+ { "tlsv1_1", secure_protocol_tlsv1_1 },
|
|
|
226bdc |
+ { "tlsv1_2", secure_protocol_tlsv1_2 },
|
|
|
226bdc |
};
|
|
|
226bdc |
int ok = decode_string (val, choices, countof (choices), place);
|
|
|
226bdc |
if (!ok)
|
|
|
226bdc |
diff --git a/src/main.c b/src/main.c
|
|
|
226bdc |
index 9cbad9f..3d50dad 100644
|
|
|
226bdc |
--- a/src/main.c
|
|
|
226bdc |
+++ b/src/main.c
|
|
|
226bdc |
@@ -625,7 +625,7 @@ HTTP options:\n"),
|
|
|
226bdc |
HTTPS (SSL/TLS) options:\n"),
|
|
|
226bdc |
N_("\
|
|
|
226bdc |
--secure-protocol=PR choose secure protocol, one of auto, SSLv2,\n\
|
|
|
226bdc |
- SSLv3, and TLSv1.\n"),
|
|
|
226bdc |
+ SSLv3, TLSv1, TLSv1_1 and TLSv1_2.\n"),
|
|
|
226bdc |
N_("\
|
|
|
226bdc |
--no-check-certificate don't validate the server's certificate.\n"),
|
|
|
226bdc |
N_("\
|
|
|
226bdc |
diff --git a/src/openssl.c b/src/openssl.c
|
|
|
226bdc |
index b3c31ce..141a8a3 100644
|
|
|
226bdc |
--- a/src/openssl.c
|
|
|
226bdc |
+++ b/src/openssl.c
|
|
|
226bdc |
@@ -40,6 +40,9 @@ as that of the covered work. */
|
|
|
226bdc |
#include <openssl/x509v3.h>
|
|
|
226bdc |
#include <openssl/err.h>
|
|
|
226bdc |
#include <openssl/rand.h>
|
|
|
226bdc |
+#if OPENSSL_VERSION_NUMBER >= 0x00907000
|
|
|
226bdc |
+#include <openssl/conf.h>
|
|
|
226bdc |
+#endif
|
|
|
226bdc |
|
|
|
226bdc |
#include "utils.h"
|
|
|
226bdc |
#include "connect.h"
|
|
|
226bdc |
@@ -176,6 +179,12 @@ ssl_init (void)
|
|
|
226bdc |
goto error;
|
|
|
226bdc |
}
|
|
|
226bdc |
|
|
|
226bdc |
+#if OPENSSL_VERSION_NUMBER >= 0x00907000
|
|
|
226bdc |
+ OPENSSL_load_builtin_modules();
|
|
|
226bdc |
+ ENGINE_load_builtin_engines();
|
|
|
226bdc |
+ CONF_modules_load_file(NULL, NULL,
|
|
|
226bdc |
+ CONF_MFLAGS_DEFAULT_SECTION|CONF_MFLAGS_IGNORE_MISSING_FILE);
|
|
|
226bdc |
+#endif
|
|
|
226bdc |
SSL_library_init ();
|
|
|
226bdc |
SSL_load_error_strings ();
|
|
|
226bdc |
SSLeay_add_all_algorithms ();
|
|
|
226bdc |
@@ -197,6 +206,21 @@ ssl_init (void)
|
|
|
226bdc |
case secure_protocol_tlsv1:
|
|
|
226bdc |
meth = TLSv1_client_method ();
|
|
|
226bdc |
break;
|
|
|
226bdc |
+#if OPENSSL_VERSION_NUMBER >= 0x10001000
|
|
|
226bdc |
+ case secure_protocol_tlsv1_1:
|
|
|
226bdc |
+ meth = TLSv1_1_client_method ();
|
|
|
226bdc |
+ break;
|
|
|
226bdc |
+ case secure_protocol_tlsv1_2:
|
|
|
226bdc |
+ meth = TLSv1_2_client_method ();
|
|
|
226bdc |
+ break;
|
|
|
226bdc |
+#else
|
|
|
226bdc |
+ case secure_protocol_tlsv1_1:
|
|
|
226bdc |
+ logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.1\n"));
|
|
|
226bdc |
+ goto error;
|
|
|
226bdc |
+ case secure_protocol_tlsv1_2:
|
|
|
226bdc |
+ logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.2\n"));
|
|
|
226bdc |
+ goto error;
|
|
|
226bdc |
+#endif
|
|
|
226bdc |
default:
|
|
|
226bdc |
abort ();
|
|
|
226bdc |
}
|
|
|
226bdc |
diff --git a/src/options.h b/src/options.h
|
|
|
226bdc |
index 326123a..575e647 100644
|
|
|
226bdc |
--- a/src/options.h
|
|
|
226bdc |
+++ b/src/options.h
|
|
|
226bdc |
@@ -200,7 +200,9 @@ struct options
|
|
|
226bdc |
secure_protocol_auto,
|
|
|
226bdc |
secure_protocol_sslv2,
|
|
|
226bdc |
secure_protocol_sslv3,
|
|
|
226bdc |
- secure_protocol_tlsv1
|
|
|
226bdc |
+ secure_protocol_tlsv1,
|
|
|
226bdc |
+ secure_protocol_tlsv1_1,
|
|
|
226bdc |
+ secure_protocol_tlsv1_2
|
|
|
226bdc |
} secure_protocol; /* type of secure protocol to use. */
|
|
|
226bdc |
bool check_cert; /* whether to validate the server's cert */
|
|
|
226bdc |
char *cert_file; /* external client certificate to use. */
|