[bug #62757] wget --secure-protocol=SSLv3 dumps core when built with Ope

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #62757] wget --secure-protocol=SSLv3 dumps core when built with Ope

From:	Alan Coopersmith
Subject:	[bug #62757] wget --secure-protocol=SSLv3 dumps core when built with OpenSSL without SSLv3 support
Date:	Tue, 12 Jul 2022 20:59:28 -0400 (EDT)

URL:
  <https://savannah.gnu.org/bugs/?62757>

                 Summary: wget --secure-protocol=SSLv3 dumps core when built
with OpenSSL without SSLv3 support
                 Project: GNU Wget
               Submitter: alanc
               Submitted: Wed 13 Jul 2022 12:59:26 AM UTC
                Category: Crash/Freeze/Infloop
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
                 Release: trunk
         Discussion Lock: Any
        Operating System: Others (Please Specify)
         Reproducibility: Every Time
           Fixed Release: None
         Planned Release: None
              Regression: None
           Work Required: None
          Patch Included: None


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Wed 13 Jul 2022 12:59:26 AM UTC By: Alan Coopersmith <alanc>
When wget 1.21.2 is built to use OpenSSL, and OpenSSL was
built with the "no-ssl3 no-ssl3-method" options to disable
SSLv3 support, then wget core dumps when SSLv3 is requested:

% wget --secure-protocol=SSLv3 https://savannah.gnu.org/
--2022-07-12 17:32:01--  https://savannah.gnu.org/
OpenSSL: unimplemented 'secure-protocol' option value 2
Please report this issue to bug-wget@gnu.org
Abort (core dumped)

This appears to be in ssl_init() in src/openssl.c - the
protocol versions unsupported by OpenSSL are #ifdef'ed
out of the switch statement altogether, falling down to
the default: case which prints an error and calls abort().

Since as bug 61416 notes, this option requests a minimum 
version instead of an exact match, it would be better,
and seemingly more consistent with the gnutls version, if
the older protocol versions were always defined, and if
unsupported, the code instead fell through to the next
supported protocol release.







    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?62757>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[bug #62757] wget --secure-protocol=SSLv3 dumps core when built with OpenSSL without SSLv3 support, Alan Coopersmith <=
- [bug #62757] wget --secure-protocol=SSLv3 dumps core when built with OpenSSL without SSLv3 support, Alan Coopersmith, 2022/07/12
  - [bug #62757] wget --secure-protocol=SSLv3 dumps core when built with OpenSSL without SSLv3 support, Alan Coopersmith, 2022/07/12

Prev by Date: URL translation %20 ->  
Next by Date: [bug #62757] wget --secure-protocol=SSLv3 dumps core when built with OpenSSL without SSLv3 support
Previous by thread: URL translation %20 ->  
Next by thread: [bug #62757] wget --secure-protocol=SSLv3 dumps core when built with OpenSSL without SSLv3 support
Index(es):
- Date
- Thread