Thanks to visit codestin.com
Credit goes to github.com

Skip to content

wolfcrypt: Remove sslv2 support, at best was a stub and condition other older methods on WC config define #366

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mitchcapper wants to merge 1 commit into
base: master
Choose a base branch
from
Open

wolfcrypt: Remove sslv2 support, at best was a stub and condition other older methods on WC config define #366

mitchcapper wants to merge 1 commit into from

Conversation

@mitchcapper
Copy link
Contributor

@mitchcapper mitchcapper commented Dec 10, 2024

On modern wolfcrypt builds SSLv2_client_method only exists as a stub and only if #NO_OLD_TLS is not defined. I don't think SSLV2 was actually supported any time recently by it, so I have removed it completely. Otherwise you get a compiler error.

I also conditioned the other older ones (SSLv3->TLS V1.1) on the wolfcrypt NO_OLD_TLS flag not being defined as with it defined they are disabled per: https://www.wolfssl.com/documentation/manuals/wolfssl/chapter02.html. This way someone doesn't try to use SSLv3 for example and not understand why its not working, now it would return missing method error.

Finally, Added an SSL alias for SSLv3 as the comment at the top mentions this is how to specify V3, (guessing openssl copy) so to make the behavior match the comment (and I assume openssl) added the alias.

Happily gets my autobuild working https://github.com/mitchcapper/WIN64LinuxBuild/actions/workflows/tool_wget2_build.yml

rockdaboot
rockdaboot reviewed Dec 14, 2024
View reviewed changes
libwget/ssl_wolfssl.c
if (!wget_strcasecmp_ascii(config.secure_protocol, "SSLv2")) {
method = SSLv2_client_method();
} else if (!wget_strcasecmp_ascii(config.secure_protocol, "SSLv3")) {
if (!wget_strcasecmp_ascii(config.secure_protocol, "SSLv3") || !wget_strcasecmp_ascii(config.secure_protocol, "SSL")) {
Copy link
Owner

@rockdaboot rockdaboot Dec 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (!wget_strcasecmp_ascii(config.secure_protocol, "SSLv3") || !wget_strcasecmp_ascii(config.secure_protocol, "SSL")) {
if (!wget_strncasecmp_ascii(config.secure_protocol, "SSL", 3)) {

Copy link
Contributor Author

@mitchcapper mitchcapper Dec 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can make this change, only issue is if someone specifies SSLv2 it won't tell them invalid option but they also won't get what they ask for. I assumed we would prefer fall to the default case of Missing TLS method. Confirm this is desired instead?

Copy link
Owner

@rockdaboot rockdaboot Dec 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You raise a good point. I just compared the WolfSSL code with our OpenSSL and GnuTLS implementations, that why I suggested the above. IMO, all three should behave semantically the same. But I now realize that the docs need to be changed and maybe in a follow-up PR, we need a bit of code deduplication.

So yes, please change the code as suggested above.

I take care of the docs later, and print a warning that SSLv3 is used instead of SSLv2 (if explicitly requested).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rockdaboot rockdaboot rockdaboot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mitchcapper @rockdaboot