From 7c40e0342140f8fc08425f4df7ef2dc42cbe9df6 Mon Sep 17 00:00:00 2001 From: Kalle Olavi Niemitalo Date: Mon, 2 May 2011 16:09:06 +0300 Subject: [PATCH] 1024: Always disable TLS1.1 with GnuTLS Using the RFC 3546 server_name TLS extension with TLS 1.1 made https://bugzilla.novell.com/ never respond to negotiation. Disable TLS 1.1 with GnuTLS, like it has already been disabled with OpenSSL. And if an SSL error is detected, disable TLS 1.2 as well. --- src/network/ssl/socket.c | 17 ++++++++++++----- src/network/ssl/ssl.c | 18 +++++++++++++++++- 2 files changed, 29 insertions(+), 6 deletions(-) diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c index 83c1c0710..b449173e3 100644 --- a/src/network/ssl/socket.c +++ b/src/network/ssl/socket.c @@ -75,11 +75,18 @@ ssl_set_no_tls(struct socket *socket) #ifdef CONFIG_OPENSSL ((ssl_t *) socket->ssl)->options |= SSL_OP_NO_TLSv1; #elif defined(CONFIG_GNUTLS) - { - const char *error; - - gnutls_priority_set_direct(*(ssl_t *) socket->ssl, "SECURE", &error); - } + /* There is another gnutls_priority_set_direct call elsewhere + * in ELinks. If you change the priorities here, please check + * whether that one needs to be changed as well. + * + * GnuTLS 2.12.x is said to support "-VERS-TLS-ALL" too, but + * that version hasn't yet been released as of May 2011. */ + gnutls_priority_set_direct(*(ssl_t *) socket->ssl, + "SECURE:-CTYPE-OPENPGP" + ":+VERS-SSL3.0:-VERS-TLS1.0" + ":-VERS-TLS1.1:-VERS-TLS1.2" + ":%SSL3_RECORD_VERSION", + NULL); #endif } diff --git a/src/network/ssl/ssl.c b/src/network/ssl/ssl.c index faf3c0844..bb1ae0737 100644 --- a/src/network/ssl/ssl.c +++ b/src/network/ssl/ssl.c @@ -294,7 +294,23 @@ init_ssl_connection(struct socket *socket, } #ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT - if (gnutls_priority_set_direct(*state, "NORMAL:-CTYPE-OPENPGP", NULL)) { + /* Disable OpenPGP certificates because they are not widely + * used and ELinks does not yet support verifying them. + * Besides, in GnuTLS < 2.4.0, they require the gnutls-extra + * library, whose GPLv3+ is not compatible with GPLv2 of + * ELinks. + * + * Disable TLS1.1 because https://bugzilla.novell.com/ does + * not reply to it and leaves the connection open so that + * ELinks does not detect an SSL error but rather times out. + * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528661#25 + * + * There is another gnutls_priority_set_direct call elsewhere + * in ELinks. If you change the priorities here, please check + * whether that one needs to be changed as well. */ + if (gnutls_priority_set_direct(*state, + "NORMAL:-CTYPE-OPENPGP:-VERS-TLS1.1", + NULL)) { gnutls_deinit(*state); mem_free(state); return S_SSL_ERROR;