Bug 712, ssl_set_no_tls: Disable TLS protocols for GnuTLS too.

And log this in NEWS, although that may have to be reverted later if it turns out this change just hides a real bug elsewhere in ELinks.
2024-12-04 14:46:47 -05:00 · 2007-04-21 13:58:20 +03:00 · 2007-04-21 13:58:20 +03:00 · 2f25d3e57c
commit 2f25d3e57c
parent d33579bb2f
2 changed files with 17 additions and 0 deletions
--- a/1
+++ b/1
@ -100,6 +100,7 @@ roughly in decreasing order of importance.
  - (enhancement) FSP progress indicator and password prompt.
  - (bugfix) Support much longer locale-specific timestamps when
    formatting a directory listing.  LC_TIME=fi_FI.UTF-8 now works.
+  - (bugfix 712) GnuTLS works on https://www-s.uiuc.edu
 * Changes in parsing and rendering of HTML (without DOM)
  - (bugfix) Use frame->name instead of target avoiding possible segfault.
  - (bugfix 284) Render closing parentheses for HTML elements SUB, SUP
--- a/src/network/ssl/socket.c
+++ b/src/network/ssl/socket.c
@ -58,11 +58,27 @@
 #endif


+/* Refuse to negotiate TLS 1.0 and later protocols on @socket->ssl.
+ * Without this, connecting to <https://www-s.uiuc.edu/> with GnuTLS
+ * 1.3.5 would result in an SSL error.  The bug may be in the server
+ * (Netscape-Enterprise/3.6 SP3), in GnuTLS, or in ELinks; please log
+ * your findings to ELinks bug 712.  */
 static void
 ssl_set_no_tls(struct socket *socket)
 {
 #ifdef CONFIG_OPENSSL
 	((ssl_t *) socket->ssl)->options |= SSL_OP_NO_TLSv1;
+#elif defined(CONFIG_GNUTLS)
+	{
+		/* GnuTLS does not support SSLv2 because it is "insecure".
+		 * That leaves only SSLv3.  */
+		static const int protocol_priority[] = {
+			GNUTLS_SSL3,
+			0
+		};
+
+		gnutls_protocol_set_priority(*(ssl_t *) socket->ssl, protocol_priority);
+	}
 #endif
 }