1
0
mirror of https://github.com/rkd77/elinks.git synced 2024-12-04 14:46:47 -05:00

Debian bug 528661: Disable some TLS extensions on GNUTLS.

- gnutls_handshake_set_private_extensions: Do not enable private cipher
  suites that might not be supported by anything other than GNUTLS.
  The GNUTLS 2.8.0 documentation notes that enabling these extensions
  can cause interoperability problems.
- gnutls_set_default_priority: Explicitly disable OpenPGP certificates.
- gnutls_certificate_type_set_priority: Do not enable OpenPGP certificates.
  The GNUTLS 2.8.0 documentation notes that OpenPGP certificate support
  requires libgnutls-extra.  Because libgnutls-extra 2.2.0 and later are
  under GPLv3-or-later and thus not GPLv2 compatible, ELinks doesn't use
  libgnutls-extra, so OpenPGP certificates didn't work anyway.
- gnutls_server_name_set: Do not tell the server the hostname from the URL.
  This was supposed to let the server choose the appropriate certificate
  for each name-based virtual host, but ELinks actually always sent just
  "localhost", so it didn't work anyway.  This will have to be revisited
  when ELinks is changed to actually verify the subject name from the
  server's certificate (ELinks bug 1024).

These changes should help ELinks negotiate SSL with bugzilla.novell.com.

[NEWS and commit message by me.  --KON]
This commit is contained in:
Witold Filipczyk 2009-05-28 15:16:22 +02:00 committed by Kalle Olavi Niemitalo
parent 1eebbb9ede
commit 864fa0b56a
2 changed files with 13 additions and 5 deletions

3
NEWS
View File

@ -21,6 +21,9 @@ Incompatibilities:
Other changes:
* critical bug 1071: Fix crash in get_dom_node_child.
* Debian bug 528661: If using GNUTLS, disable various TLS extensions
(including CERT and SERVERNAME) to help handshaking with the
SSLv3-only bugzilla.novell.com.
* Debian build bug 526349: Include asciidoc.py from AsciiDoc 7.1.2,
to remove all dependencies on the installed version.
* build enhancement: Recognize ``configure --without-tre''.

View File

@ -230,7 +230,7 @@ init_ssl_connection(struct socket *socket)
socket->ssl = SSL_new(context);
if (!socket->ssl) return S_SSL_ERROR;
#elif defined(CONFIG_GNUTLS)
const unsigned char server_name[] = "localhost";
/* const unsigned char server_name[] = "localhost"; */
ssl_t *state = mem_alloc(sizeof(ssl_t));
if (!state) return S_SSL_ERROR;
@ -255,13 +255,18 @@ init_ssl_connection(struct socket *socket)
return S_SSL_ERROR;
}
gnutls_set_default_priority(*state);
gnutls_handshake_set_private_extensions(*state, 1);
if (gnutls_priority_set_direct(*state, "NORMAL:-CTYPE-OPENPGP", NULL)) {
gnutls_deinit(*state);
mem_free(state);
return S_SSL_ERROR;
}
/* gnutls_set_default_priority(*state); */
/* gnutls_handshake_set_private_extensions(*state, 1); */
gnutls_cipher_set_priority(*state, cipher_priority);
gnutls_kx_set_priority(*state, kx_priority);
gnutls_certificate_type_set_priority(*state, cert_type_priority);
/* gnutls_certificate_type_set_priority(*state, cert_type_priority);
gnutls_server_name_set(*state, GNUTLS_NAME_DNS, server_name,
sizeof(server_name) - 1);
sizeof(server_name) - 1); */
socket->ssl = state;
#endif