]> sjero.net Git - wget/blobdiff - src/openssl.c
projects / wget / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
NEWS: cite --start-pos
[wget] / src / openssl.c
diff --git a/src/openssl.c b/src/openssl.c
index e2eec4f7c2932b704fd5cd63e0ed48a735f15813..7c92ac0bcb1c80908abb5ea2fce91e49335227dc 100644 (file)
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -194,6 +194,7 @@ ssl_init (void)
     case secure_protocol_sslv3:
       meth = SSLv3_client_method ();
       break;
+    case secure_protocol_pfs:
     case secure_protocol_tlsv1:
       meth = TLSv1_client_method ();
       break;
@@ -207,6 +208,12 @@ ssl_init (void)
   if (!ssl_ctx)
     goto error;
 
+  /* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html
+   * Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more)
+   */
+  if (opt.secure_protocol == secure_protocol_pfs)
+    SSL_CTX_set_cipher_list (ssl_ctx, "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:!aNULL@STRENGTH");
+
   SSL_CTX_set_default_verify_paths (ssl_ctx);
   SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
 
GNU Wget (from http://git.savannah.gnu.org/cgit/wget.git). Modified to allow selection of TCP source port. Clone using: git clone http://sjero.net/src/wget/ wget