[Midnightbsd-cvs] src [11586] trunk/usr.bin/fetch: disable sslv2

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Sun Jul 8 11:40:58 EDT 2018 

Revision: 11586
          http://svnweb.midnightbsd.org/src/?rev=11586
Author:   laffer1
Date:     2018-07-08 11:40:58 -0400 (Sun, 08 Jul 2018)
Log Message:
-----------
disable sslv2

Modified Paths:
--------------
    trunk/usr.bin/fetch/Makefile
    trunk/usr.bin/fetch/fetch.1
    trunk/usr.bin/fetch/fetch.c

Modified: trunk/usr.bin/fetch/Makefile
===================================================================
--- trunk/usr.bin/fetch/Makefile	2018-07-08 15:40:27 UTC (rev 11585)
+++ trunk/usr.bin/fetch/Makefile	2018-07-08 15:40:58 UTC (rev 11586)
@@ -1,3 +1,4 @@
+# $MidnightBSD$
 # $FreeBSD: stable/10/usr.bin/fetch/Makefile 240496 2012-09-14 13:00:43Z des $
 
 .include <bsd.own.mk>

Modified: trunk/usr.bin/fetch/fetch.1
===================================================================
--- trunk/usr.bin/fetch/fetch.1	2018-07-08 15:40:27 UTC (rev 11585)
+++ trunk/usr.bin/fetch/fetch.1	2018-07-08 15:40:58 UTC (rev 11586)
@@ -1,6 +1,7 @@
+.\" $MidnightBSD$
 .\"-
 .\" Copyright (c) 2000-2014 Dag-Erling Smørgrav
-.\" Copyright (c) 2013 Michael Gmelin <freebsd at grem.de>
+.\" Copyright (c) 2013-2016 Michael Gmelin <freebsd at grem.de>
 .\" All rights reserved.
 .\" Portions Copyright (c) 1999 Massachusetts Institute of Technology; used
 .\" by permission.
@@ -28,9 +29,9 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $FreeBSD: stable/10/usr.bin/fetch/fetch.1 262558 2014-02-27 13:25:26Z des $
+.\" $FreeBSD: stable/10/usr.bin/fetch/fetch.1 301500 2016-06-06 11:08:05Z grembo $
 .\"
-.Dd January 28, 2014
+.Dd March 18, 2016
 .Dt FETCH 1
 .Os
 .Sh NAME
@@ -39,7 +40,6 @@
 .Sh SYNOPSIS
 .Nm
 .Op Fl 146AadFlMmnPpqRrsUv
-.Op Fl -allow-sslv2
 .Op Fl B Ar bytes
 .Op Fl -bind-address= Ns Ar host
 .Op Fl -ca-cert= Ns Ar file
@@ -113,9 +113,6 @@
 error when the requested object does not exist.
 .It Fl a , -retry
 Automatically retry the transfer upon soft failures.
-.It Fl -allow-sslv2
-[SSL]
-Allow SSL version 2 when negotiating the connection.
 .It Fl B Ar bytes , Fl -buffer-size= Ns Ar bytes
 Specify the read buffer size in bytes.
 The default is 16,384 bytes.
@@ -138,11 +135,17 @@
 [SSL]
 Path to certificate bundle containing trusted CA certificates.
 If not specified,
+.Pa /usr/local/etc/ssl/cert.pem
+is used.
+If this file does not exist,
 .Pa /etc/ssl/cert.pem
-is used.
-The file may contain multiple CA certificates. The port
+is used instead.
+If neither file exists and no CA path has been configured,
+OpenSSL's default CA cert and path settings apply.
+The certificate bundle can contain multiple CA certificates.
+The
 .Pa security/ca_root_nss
-is a common source of a current CA bundle.
+port is a common source of a current CA bundle.
 .It Fl -ca-path= Ns Ar dir
 [SSL]
 The directory
@@ -222,10 +225,16 @@
 which proxies should not be used.
 .It Fl -no-sslv3
 [SSL]
-Don't allow SSL version 3 when negotiating the connection.
+Do not allow SSL version 3 when negotiating the connection.
+This option is deprecated and is provided for backward compatibility
+only.
+SSLv3 is disabled by default.
+Set
+.Ev SSL_ALLOW_SSL3
+to change this behavior.
 .It Fl -no-tlsv1
 [SSL]
-Don't allow TLS version 1 when negotiating the connection.
+Do not allow TLS version 1 when negotiating the connection.
 .It Fl -no-verify-hostname
 [SSL]
 Do not verify that the hostname matches the subject of the
@@ -350,14 +359,15 @@
 .Ev NETRC ,
 .Ev NO_PROXY ,
 .Ev no_proxy ,
-.Ev SSL_ALLOW_SSL2 ,
 .Ev SSL_CA_CERT_FILE ,
 .Ev SSL_CA_CERT_PATH ,
 .Ev SSL_CLIENT_CERT_FILE ,
 .Ev SSL_CLIENT_KEY_FILE ,
 .Ev SSL_CRL_FILE ,
-.Ev SSL_NO_SSL3 ,
+.Ev SSL_ALLOW_SSL3 ,
 .Ev SSL_NO_TLS1 ,
+.Ev SSL_NO_TLS1_1 ,
+.Ev SSL_NO_TLS1_2 ,
 .Ev SSL_NO_VERIFY_HOSTNAME
 and
 .Ev SSL_NO_VERIFY_PEER .

Modified: trunk/usr.bin/fetch/fetch.c
===================================================================
--- trunk/usr.bin/fetch/fetch.c	2018-07-08 15:40:27 UTC (rev 11585)
+++ trunk/usr.bin/fetch/fetch.c	2018-07-08 15:40:58 UTC (rev 11586)
@@ -1,3 +1,4 @@
+/* $MidnightBSD$ */
 /*-
  * Copyright (c) 2000-2014 Dag-Erling Smørgrav
  * Copyright (c) 2013 Michael Gmelin <freebsd at grem.de>
@@ -28,7 +29,7 @@
  */
 
 #include <sys/cdefs.h>
-__FBSDID("$FreeBSD: stable/10/usr.bin/fetch/fetch.c 262558 2014-02-27 13:25:26Z des $");
+__FBSDID("$FreeBSD: stable/10/usr.bin/fetch/fetch.c 294194 2016-01-16 20:24:02Z des $");
 
 #include <sys/param.h>
 #include <sys/socket.h>
@@ -102,7 +103,6 @@
 	OPTION_HTTP_REFERER,
 	OPTION_HTTP_USER_AGENT,
 	OPTION_NO_PROXY,
-	OPTION_SSL_ALLOW_SSL2,
 	OPTION_SSL_CA_CERT_FILE,
 	OPTION_SSL_CA_CERT_PATH,
 	OPTION_SSL_CLIENT_CERT_FILE,
@@ -154,7 +154,6 @@
 	{ "referer", required_argument, NULL, OPTION_HTTP_REFERER },
 	{ "user-agent", required_argument, NULL, OPTION_HTTP_USER_AGENT },
 	{ "no-proxy", required_argument, NULL, OPTION_NO_PROXY },
-	{ "allow-sslv2", no_argument, NULL, OPTION_SSL_ALLOW_SSL2 },
 	{ "ca-cert", required_argument, NULL, OPTION_SSL_CA_CERT_FILE },
 	{ "ca-path", required_argument, NULL, OPTION_SSL_CA_CERT_PATH },
 	{ "cert", required_argument, NULL, OPTION_SSL_CLIENT_CERT_FILE },
@@ -845,17 +844,17 @@
 usage(void)
 {
 	fprintf(stderr, "%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n",
-"usage: fetch [-146AadFlMmnPpqRrsUv] [--allow-sslv2] [-B bytes]",
-"       [--bind-address=host] [--ca-cert=file] [--ca-path=dir] [--cert=file]",
-"       [--crl=file] [-i file] [--key=file] [-N file] [--no-passive]",
-"       [--no-proxy=list] [--no-sslv3] [--no-tlsv1] [--no-verify-hostname]",
-"       [--no-verify-peer] [-o file] [--referer=URL] [-S bytes] [-T seconds]",
+"usage: fetch [-146AadFlMmnPpqRrsUv] [-B bytes] [--bind-address=host]",
+"       [--ca-cert=file] [--ca-path=dir] [--cert=file] [--crl=file]",
+"       [-i file] [--key=file] [-N file] [--no-passive] [--no-proxy=list]",
+"       [--no-sslv3] [--no-tlsv1] [--no-verify-hostname] [--no-verify-peer]",
+"       [-o file] [--referer=URL] [-S bytes] [-T seconds]",
 "       [--user-agent=agent-string] [-w seconds] URL ...",
-"       fetch [-146AadFlMmnPpqRrsUv] [--allow-sslv2] [-B bytes]",
-"       [--bind-address=host] [--ca-cert=file] [--ca-path=dir] [--cert=file]",
-"       [--crl=file] [-i file] [--key=file] [-N file] [--no-passive]",
-"       [--no-proxy=list] [--no-sslv3] [--no-tlsv1] [--no-verify-hostname]",
-"       [--no-verify-peer] [-o file] [--referer=URL] [-S bytes] [-T seconds]",
+"       fetch [-146AadFlMmnPpqRrsUv] [-B bytes] [--bind-address=host]",
+"       [--ca-cert=file] [--ca-path=dir] [--cert=file] [--crl=file]",
+"       [-i file] [--key=file] [-N file] [--no-passive] [--no-proxy=list]",
+"       [--no-sslv3] [--no-tlsv1] [--no-verify-hostname] [--no-verify-peer]",
+"       [-o file] [--referer=URL] [-S bytes] [-T seconds]",
 "       [--user-agent=agent-string] [-w seconds] -h host -f file [-c dir]");
 }
 
@@ -1004,9 +1003,6 @@
 		case OPTION_NO_PROXY:
 			setenv("NO_PROXY", optarg, 1);
 			break;
-		case OPTION_SSL_ALLOW_SSL2:
-			setenv("SSL_ALLOW_SSL2", "", 1);
-			break;
 		case OPTION_SSL_CA_CERT_FILE:
 			setenv("SSL_CA_CERT_FILE", optarg, 1);
 			break;

More information about the Midnightbsd-cvs mailing list