1
0
mirror of https://github.com/rkd77/elinks.git synced 2024-12-04 14:46:47 -05:00

1024: Always disable TLS1.1 with GnuTLS

Using the RFC 3546 server_name TLS extension with TLS 1.1 made
https://bugzilla.novell.com/ never respond to negotiation.
Disable TLS 1.1 with GnuTLS, like it has already been disabled with
OpenSSL.  And if an SSL error is detected, disable TLS 1.2 as well.
This commit is contained in:
Kalle Olavi Niemitalo 2011-05-02 16:09:06 +03:00 committed by Kalle Olavi Niemitalo
parent 6c84978cf5
commit 7c40e03421
2 changed files with 29 additions and 6 deletions

View File

@ -75,11 +75,18 @@ ssl_set_no_tls(struct socket *socket)
#ifdef CONFIG_OPENSSL #ifdef CONFIG_OPENSSL
((ssl_t *) socket->ssl)->options |= SSL_OP_NO_TLSv1; ((ssl_t *) socket->ssl)->options |= SSL_OP_NO_TLSv1;
#elif defined(CONFIG_GNUTLS) #elif defined(CONFIG_GNUTLS)
{ /* There is another gnutls_priority_set_direct call elsewhere
const char *error; * in ELinks. If you change the priorities here, please check
* whether that one needs to be changed as well.
gnutls_priority_set_direct(*(ssl_t *) socket->ssl, "SECURE", &error); *
} * GnuTLS 2.12.x is said to support "-VERS-TLS-ALL" too, but
* that version hasn't yet been released as of May 2011. */
gnutls_priority_set_direct(*(ssl_t *) socket->ssl,
"SECURE:-CTYPE-OPENPGP"
":+VERS-SSL3.0:-VERS-TLS1.0"
":-VERS-TLS1.1:-VERS-TLS1.2"
":%SSL3_RECORD_VERSION",
NULL);
#endif #endif
} }

View File

@ -294,7 +294,23 @@ init_ssl_connection(struct socket *socket,
} }
#ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT #ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
if (gnutls_priority_set_direct(*state, "NORMAL:-CTYPE-OPENPGP", NULL)) { /* Disable OpenPGP certificates because they are not widely
* used and ELinks does not yet support verifying them.
* Besides, in GnuTLS < 2.4.0, they require the gnutls-extra
* library, whose GPLv3+ is not compatible with GPLv2 of
* ELinks.
*
* Disable TLS1.1 because https://bugzilla.novell.com/ does
* not reply to it and leaves the connection open so that
* ELinks does not detect an SSL error but rather times out.
* http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528661#25
*
* There is another gnutls_priority_set_direct call elsewhere
* in ELinks. If you change the priorities here, please check
* whether that one needs to be changed as well. */
if (gnutls_priority_set_direct(*state,
"NORMAL:-CTYPE-OPENPGP:-VERS-TLS1.1",
NULL)) {
gnutls_deinit(*state); gnutls_deinit(*state);
mem_free(state); mem_free(state);
return S_SSL_ERROR; return S_SSL_ERROR;