URL:
<https://savannah.gnu.org/bugs/?62757>
Summary: wget --secure-protocol=SSLv3 dumps core when built
with OpenSSL without SSLv3 support
Project: GNU Wget
Submitter: alanc
Submitted: Wed 13 Jul 2022 12:59:26 AM UTC
Category: Crash/Freeze/Infloop
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Release: trunk
Discussion Lock: Any
Operating System: Others (Please Specify)
Reproducibility: Every Time
Fixed Release: None
Planned Release: None
Regression: None
Work Required: None
Patch Included: None
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Wed 13 Jul 2022 12:59:26 AM UTC By: Alan Coopersmith <alanc>
When wget 1.21.2 is built to use OpenSSL, and OpenSSL was
built with the "no-ssl3 no-ssl3-method" options to disable
SSLv3 support, then wget core dumps when SSLv3 is requested:
% wget --secure-protocol=SSLv3 https://savannah.gnu.org/
--2022-07-12 17:32:01-- https://savannah.gnu.org/
OpenSSL: unimplemented 'secure-protocol' option value 2
Please report this issue to bug-wget@gnu.org
Abort (core dumped)
This appears to be in ssl_init() in src/openssl.c - the
protocol versions unsupported by OpenSSL are #ifdef'ed
out of the switch statement altogether, falling down to
the default: case which prints an error and calls abort().
Since as bug 61416 notes, this option requests a minimum
version instead of an exact match, it would be better,
and seemingly more consistent with the gnutls version, if
the older protocol versions were always defined, and if
unsupported, the code instead fell through to the next
supported protocol release.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?62757>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
