mirror of
https://github.com/rkd77/elinks.git
synced 2024-12-04 14:46:47 -05:00
Use gnutls_set_default_priority.
Thereby enabling TLS 1.2 on GnuTLS versions that support it.
This commit is contained in:
parent
699663614a
commit
82edb1f892
@ -63,83 +63,6 @@ ssl_set_no_tls(struct socket *socket)
|
||||
{
|
||||
#ifdef CONFIG_OPENSSL
|
||||
((ssl_t *) socket->ssl)->options |= SSL_OP_NO_TLSv1;
|
||||
#elif defined(CONFIG_GNUTLS)
|
||||
/* We do a little more work here, setting up all these priorities (like
|
||||
* they couldn't have some reasonable defaults there).. */
|
||||
|
||||
{
|
||||
int protocol_priority[3] = {
|
||||
GNUTLS_TLS1,
|
||||
GNUTLS_SSL3,
|
||||
0
|
||||
};
|
||||
|
||||
gnutls_protocol_set_priority(*((ssl_t *) socket->ssl), protocol_priority);
|
||||
}
|
||||
|
||||
/* Note that I have no clue about these; I just put all I found here
|
||||
* ;-). It is all a bit confusing for me, and I just want this to work.
|
||||
* Feel free to send me patch removing useless superfluous bloat,
|
||||
* thanks in advance. --pasky */
|
||||
|
||||
{
|
||||
int cipher_priority[5] = {
|
||||
GNUTLS_CIPHER_RIJNDAEL_128_CBC,
|
||||
GNUTLS_CIPHER_3DES_CBC,
|
||||
GNUTLS_CIPHER_ARCFOUR,
|
||||
GNUTLS_CIPHER_RIJNDAEL_256_CBC,
|
||||
0
|
||||
};
|
||||
|
||||
gnutls_cipher_set_priority(*((ssl_t *) socket->ssl), cipher_priority);
|
||||
}
|
||||
|
||||
{
|
||||
/* Does any httpd support this..? ;) */
|
||||
int comp_priority[3] = {
|
||||
GNUTLS_COMP_ZLIB,
|
||||
GNUTLS_COMP_NULL,
|
||||
0
|
||||
};
|
||||
|
||||
gnutls_compression_set_priority(*((ssl_t *) socket->ssl), comp_priority);
|
||||
}
|
||||
|
||||
{
|
||||
int kx_priority[5] = {
|
||||
GNUTLS_KX_RSA,
|
||||
GNUTLS_KX_DHE_DSS,
|
||||
GNUTLS_KX_DHE_RSA,
|
||||
/* Looks like we don't want SRP, do we? */
|
||||
GNUTLS_KX_ANON_DH,
|
||||
0
|
||||
};
|
||||
|
||||
gnutls_kx_set_priority(*((ssl_t *) socket->ssl), kx_priority);
|
||||
}
|
||||
|
||||
{
|
||||
int mac_priority[3] = {
|
||||
GNUTLS_MAC_SHA,
|
||||
GNUTLS_MAC_MD5,
|
||||
0
|
||||
};
|
||||
|
||||
gnutls_mac_set_priority(*((ssl_t *) socket->ssl), mac_priority);
|
||||
}
|
||||
|
||||
{
|
||||
int cert_type_priority[2] = {
|
||||
GNUTLS_CRT_X509,
|
||||
/* We don't link with -extra now; by time of writing
|
||||
* this, it's unclear where OpenPGP will end up. */
|
||||
0
|
||||
};
|
||||
|
||||
gnutls_certificate_type_set_priority(*((ssl_t *) socket->ssl), cert_type_priority);
|
||||
}
|
||||
|
||||
gnutls_dh_set_prime_bits(*((ssl_t *) socket->ssl), 1024);
|
||||
#endif
|
||||
}
|
||||
|
||||
|
@ -107,9 +107,6 @@ static struct module openssl_module = struct_module(
|
||||
gnutls_anon_client_credentials_t anon_cred = NULL;
|
||||
gnutls_certificate_credentials_t xcred = NULL;
|
||||
|
||||
const static int protocol_priority[16] = {
|
||||
GNUTLS_TLS1, GNUTLS_SSL3, 0
|
||||
};
|
||||
const static int kx_priority[16] = {
|
||||
GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP,
|
||||
/* Do not use anonymous authentication, unless you know what that means */
|
||||
@ -119,8 +116,6 @@ const static int cipher_priority[16] = {
|
||||
GNUTLS_CIPHER_RIJNDAEL_128_CBC, GNUTLS_CIPHER_ARCFOUR_128,
|
||||
GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_ARCFOUR_40, 0
|
||||
};
|
||||
const static int comp_priority[16] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
|
||||
const static int mac_priority[16] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
|
||||
const static int cert_type_priority[16] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 };
|
||||
|
||||
static void
|
||||
@ -232,12 +227,10 @@ init_ssl_connection(struct socket *socket)
|
||||
return S_SSL_ERROR;
|
||||
}
|
||||
|
||||
gnutls_set_default_priority(*state);
|
||||
gnutls_handshake_set_private_extensions(*state, 1);
|
||||
gnutls_cipher_set_priority(*state, cipher_priority);
|
||||
gnutls_compression_set_priority(*state, comp_priority);
|
||||
gnutls_kx_set_priority(*state, kx_priority);
|
||||
gnutls_protocol_set_priority(*state, protocol_priority);
|
||||
gnutls_mac_set_priority(*state, mac_priority);
|
||||
gnutls_certificate_type_set_priority(*state, cert_type_priority);
|
||||
gnutls_server_name_set(*state, GNUTLS_NAME_DNS, server_name,
|
||||
sizeof(server_name) - 1);
|
||||
|
Loading…
Reference in New Issue
Block a user