Re: wget - SSL handshake failed

[Jérémie Courrèges-Anglas]

Stuart Henderson <st...@openbsd.org> writes:

> On 2014/11/19 08:16, Kent Fritz wrote:
>> Wget is only sending TLS 1.0 in client hello, and the server is
>> refusing.   This seems to be a problem with the port, as wget 1.14 on
>> my Linux box sends a TLS 1.2 hello, as does wget on OpenBSD 5.4 (also
>> 1.14).
>
> This is fallout from our OPENSSL_VERSION_NUMBER string, ENOTIME to fix
> it now, but check out src/openssl.c.
>
> 221 #if OPENSSL_VERSION_NUMBER >= 0x01001000
> 222     case secure_protocol_tlsv1_1:
> 223       meth = TLSv1_1_client_method ();
> 224       break;
> 225     case secure_protocol_tlsv1_2:
> 226       meth = TLSv1_2_client_method ();
> 227       break;
> 228 #endif

Hmm, I'm not sure.  Here's the diff between wget-1.15 and wget-1.16:

--8<--
   switch (opt.secure_protocol)
     {
-    case secure_protocol_auto:
-      meth = SSLv23_client_method ();
-      break;
 #ifndef OPENSSL_NO_SSL2
     case secure_protocol_sslv2:
       meth = SSLv2_client_method ();
       break;
 #endif
     case secure_protocol_sslv3:
       meth = SSLv3_client_method ();
       break;
+    case secure_protocol_auto:
     case secure_protocol_pfs:
     case secure_protocol_tlsv1:
       meth = TLSv1_client_method ();
       break;
+#if OPENSSL_VERSION_NUMBER >= 0x01001000
+    case secure_protocol_tlsv1_1:
+      meth = TLSv1_1_client_method ();
+      break;
+    case secure_protocol_tlsv1_2:
+      meth = TLSv1_2_client_method ();
+      break;
+#endif
     default:
       abort ();
     }
-->8--

TLSv1_client_method() forces the use of TLSv1.0 only.  oops.

  wget --secure-protocol=tlsv1_2 --debug -O /dev/null \
    https://www.secure.io/

works fine, --secure-protocol=tlsv1_1 fails (appropriately according to
the OP's nginx config).

IMO "auto" should use SSLv23_client_method().  Same for "pfs" which only
touches the selected ciphers.  Temporary patch below.

Index: patches/patch-src_openssl_c
===================================================================
RCS file: /cvs/ports/net/wget/patches/patch-src_openssl_c,v
retrieving revision 1.8
diff -u -p -r1.8 patch-src_openssl_c
--- patches/patch-src_openssl_c 5 Nov 2014 22:11:40 -0000       1.8
+++ patches/patch-src_openssl_c 19 Nov 2014 19:17:15 -0000
@@ -1,6 +1,6 @@
 $OpenBSD: patch-src_openssl_c,v 1.8 2014/11/05 22:11:40 naddy Exp $
 --- src/openssl.c.orig Mon Oct 27 09:15:33 2014
-+++ src/openssl.c      Tue Nov  4 22:27:21 2014
++++ src/openssl.c      Wed Nov 19 20:17:05 2014
 @@ -89,9 +89,11 @@ init_prng (void)
    if (RAND_status ())
      return;
@@ -13,3 +13,12 @@ $OpenBSD: patch-src_openssl_c,v 1.8 2014
  
    if (RAND_status ())
      return;
+@@ -213,6 +215,8 @@ ssl_init (void)
+       break;
+     case secure_protocol_auto:
+     case secure_protocol_pfs:
++      meth = SSLv23_client_method ();
++      break;
+     case secure_protocol_tlsv1:
+       meth = TLSv1_client_method ();
+       break;

-- 
jca | PGP: 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE