mirror of
https://github.com/rkd77/elinks.git
synced 2024-12-04 14:46:47 -05:00
Debian bug 528661: Disable some TLS extensions on GNUTLS.
- gnutls_handshake_set_private_extensions: Do not enable private cipher suites that might not be supported by anything other than GNUTLS. The GNUTLS 2.8.0 documentation notes that enabling these extensions can cause interoperability problems. - gnutls_set_default_priority: Explicitly disable OpenPGP certificates. - gnutls_certificate_type_set_priority: Do not enable OpenPGP certificates. The GNUTLS 2.8.0 documentation notes that OpenPGP certificate support requires libgnutls-extra. Because libgnutls-extra 2.2.0 and later are under GPLv3-or-later and thus not GPLv2 compatible, ELinks doesn't use libgnutls-extra, so OpenPGP certificates didn't work anyway. - gnutls_server_name_set: Do not tell the server the hostname from the URL. This was supposed to let the server choose the appropriate certificate for each name-based virtual host, but ELinks actually always sent just "localhost", so it didn't work anyway. This will have to be revisited when ELinks is changed to actually verify the subject name from the server's certificate (ELinks bug 1024). These changes should help ELinks negotiate SSL with bugzilla.novell.com. [NEWS and commit message by me. --KON]
This commit is contained in:
parent
1eebbb9ede
commit
864fa0b56a
3
NEWS
3
NEWS
@ -21,6 +21,9 @@ Incompatibilities:
|
||||
Other changes:
|
||||
|
||||
* critical bug 1071: Fix crash in get_dom_node_child.
|
||||
* Debian bug 528661: If using GNUTLS, disable various TLS extensions
|
||||
(including CERT and SERVERNAME) to help handshaking with the
|
||||
SSLv3-only bugzilla.novell.com.
|
||||
* Debian build bug 526349: Include asciidoc.py from AsciiDoc 7.1.2,
|
||||
to remove all dependencies on the installed version.
|
||||
* build enhancement: Recognize ``configure --without-tre''.
|
||||
|
@ -230,7 +230,7 @@ init_ssl_connection(struct socket *socket)
|
||||
socket->ssl = SSL_new(context);
|
||||
if (!socket->ssl) return S_SSL_ERROR;
|
||||
#elif defined(CONFIG_GNUTLS)
|
||||
const unsigned char server_name[] = "localhost";
|
||||
/* const unsigned char server_name[] = "localhost"; */
|
||||
ssl_t *state = mem_alloc(sizeof(ssl_t));
|
||||
|
||||
if (!state) return S_SSL_ERROR;
|
||||
@ -255,13 +255,18 @@ init_ssl_connection(struct socket *socket)
|
||||
return S_SSL_ERROR;
|
||||
}
|
||||
|
||||
gnutls_set_default_priority(*state);
|
||||
gnutls_handshake_set_private_extensions(*state, 1);
|
||||
if (gnutls_priority_set_direct(*state, "NORMAL:-CTYPE-OPENPGP", NULL)) {
|
||||
gnutls_deinit(*state);
|
||||
mem_free(state);
|
||||
return S_SSL_ERROR;
|
||||
}
|
||||
/* gnutls_set_default_priority(*state); */
|
||||
/* gnutls_handshake_set_private_extensions(*state, 1); */
|
||||
gnutls_cipher_set_priority(*state, cipher_priority);
|
||||
gnutls_kx_set_priority(*state, kx_priority);
|
||||
gnutls_certificate_type_set_priority(*state, cert_type_priority);
|
||||
/* gnutls_certificate_type_set_priority(*state, cert_type_priority);
|
||||
gnutls_server_name_set(*state, GNUTLS_NAME_DNS, server_name,
|
||||
sizeof(server_name) - 1);
|
||||
sizeof(server_name) - 1); */
|
||||
|
||||
socket->ssl = state;
|
||||
#endif
|
||||
|
Loading…
Reference in New Issue
Block a user