From cc3bf4d8f1819a864944b18190881d40ee7b9955 Mon Sep 17 00:00:00 2001
From: Tomas Hozza <address@hidden>
Date: Mon, 7 Jul 2014 13:20:52 +0200
Subject: [PATCH] Add configure option --with-openssl-ciphers-list

Allow the users to redefine the ciphers list used
when compiled with OpenSSL. This is usable for
distributions, that distribute wget as binary package
and want to use own system-wide ciphers list.

Signed-off-by: Tomas Hozza <address@hidden>
---
 ChangeLog     |  5 +++++
 configure.ac  | 13 +++++++++++++
 src/ChangeLog |  5 +++++
 src/openssl.c |  6 +++++-
 4 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 2bfae67..8a1ff73 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2014-07-07  Tomas Hozza  <address@hidden>
+
+	* configure.ac: Add --with-openssl-ciphers-list to allow redefining the
+	ciphers list when using OpenSSL.
+
 2014-06-28  Giuseppe Scrivano  <address@hidden>
 
 	* cfg.mk (local-checks-to-skip): Remove some checks.
diff --git a/configure.ac b/configure.ac
index abc92fb..9fcb563 100644
--- a/configure.ac
+++ b/configure.ac
@@ -69,6 +69,12 @@ AC_ARG_WITH(ssl,
 [[  --without-ssl           disable SSL autodetection
   --with-ssl={gnutls,openssl} specify the SSL backend.  GNU TLS is the default.]])
 
+AC_ARG_WITH([openssl-ciphers-list],
+[  --with-openssl-ciphers-list=LIST  Use SSL cipers list for OpenSSL defined as
+                                    an argument.],
+[with_openssl_ciphers_list="$withval"],
+[with_openssl_ciphers_list=no])
+
 AC_ARG_WITH(zlib,
 [[  --without-zlib          disable zlib ]])
 
@@ -364,6 +370,13 @@ else
   fi
 fi
 
+# check which ciphers list should be used for OpenSSL
+AS_IF([test x"$with_openssl_ciphers_list" != xno], [
+       AS_IF([test x"$with_ssl" != xopenssl], [
+              AC_MSG_ERROR([--with-openssl-ciphers-list can be used only with --with-ssl=openssl])
+              ])
+       AC_DEFINE_UNQUOTED([OPENSSL_CIPHERS_LIST], ["$with_openssl_ciphers_list"], [Use defined ciphers list for OpenSSL])
+])
 
 dnl **********************************************************************
 dnl Checks for IPv6
diff --git a/src/ChangeLog b/src/ChangeLog
index 6360303..bfeafa5 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2014-07-07  Tomas Hozza  <address@hidden>
+
+	* openssl.c: Add definition of OPENSSL_CIPHERS_LIST
+	* openssl.c (ssl_init): Use the predefined OPENSSL_CIPHERS_LIST
+
 2014-07-05  Darshit Shah  <address@hidden>
 
 	* cookies.c (check_domain_match): Libpsl requires that all domain names
diff --git a/src/openssl.c b/src/openssl.c
index 879b27e..18ba21d 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -50,6 +50,10 @@ as that of the covered work.  */
 # include <w32sock.h>
 #endif
 
+#ifndef OPENSSL_CIPHERS_LIST
+# define OPENSSL_CIPHERS_LIST "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:address@hidden"
+#endif
+
 /* Application-wide SSL context.  This is common to all SSL
    connections.  */
 static SSL_CTX *ssl_ctx;
@@ -223,7 +227,7 @@ ssl_init (void)
    * Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more)
    */
   if (opt.secure_protocol == secure_protocol_pfs)
-    SSL_CTX_set_cipher_list (ssl_ctx, "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:address@hidden");
+    SSL_CTX_set_cipher_list (ssl_ctx, OPENSSL_CIPHERS_LIST);
 
   SSL_CTX_set_default_verify_paths (ssl_ctx);
   SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
-- 
1.9.3