From 2f25d3e57cd6dd1d2dda71108b2b2db1cb919400 Mon Sep 17 00:00:00 2001 From: Kalle Olavi Niemitalo Date: Sat, 21 Apr 2007 13:58:20 +0300 Subject: [PATCH] Bug 712, ssl_set_no_tls: Disable TLS protocols for GnuTLS too. And log this in NEWS, although that may have to be reverted later if it turns out this change just hides a real bug elsewhere in ELinks. --- NEWS | 1 + src/network/ssl/socket.c | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/NEWS b/NEWS index 494b97c3..8ecca51e 100644 --- a/NEWS +++ b/NEWS @@ -100,6 +100,7 @@ roughly in decreasing order of importance. - (enhancement) FSP progress indicator and password prompt. - (bugfix) Support much longer locale-specific timestamps when formatting a directory listing. LC_TIME=fi_FI.UTF-8 now works. + - (bugfix 712) GnuTLS works on https://www-s.uiuc.edu * Changes in parsing and rendering of HTML (without DOM) - (bugfix) Use frame->name instead of target avoiding possible segfault. - (bugfix 284) Render closing parentheses for HTML elements SUB, SUP diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c index 322a718c..19b89413 100644 --- a/src/network/ssl/socket.c +++ b/src/network/ssl/socket.c @@ -58,11 +58,27 @@ #endif +/* Refuse to negotiate TLS 1.0 and later protocols on @socket->ssl. + * Without this, connecting to with GnuTLS + * 1.3.5 would result in an SSL error. The bug may be in the server + * (Netscape-Enterprise/3.6 SP3), in GnuTLS, or in ELinks; please log + * your findings to ELinks bug 712. */ static void ssl_set_no_tls(struct socket *socket) { #ifdef CONFIG_OPENSSL ((ssl_t *) socket->ssl)->options |= SSL_OP_NO_TLSv1; +#elif defined(CONFIG_GNUTLS) + { + /* GnuTLS does not support SSLv2 because it is "insecure". + * That leaves only SSLv3. */ + static const int protocol_priority[] = { + GNUTLS_SSL3, + 0 + }; + + gnutls_protocol_set_priority(*(ssl_t *) socket->ssl, protocol_priority); + } #endif }