79 lines
2.9 KiB
Diff
79 lines
2.9 KiB
Diff
From f474ec2a887f2ef1dba536683f5a7c8b6dc7e283 Mon Sep 17 00:00:00 2001
|
|
From: Dan Winship <danw@gnome.org>
|
|
Date: Thu, 13 Nov 2014 22:30:13 -0500
|
|
Subject: [PATCH 2/2] gnutls: update default priority string and fallback rules
|
|
|
|
Change the default "priority" string from "NORMAL:%COMPAT" to
|
|
"NORMAL:%COMPAT:%LATEST_RECORD_VERSION". (Correctly-implemented
|
|
servers won't care either way, but apparently some servers have been
|
|
incorrectly updated for POODLE-safeness by rejecting all handshakes
|
|
with SSL 3.0 in the version field [which had long been recommended for
|
|
compatibility reasons], even if the handshake offered to negotiate TLS
|
|
versions too.)
|
|
|
|
Change the fallback/"ssl3" priority code so that it never includes
|
|
%LATEST_RECORD_VERSION, but does include %COMPAT even if the default
|
|
priority doesn't (eg, because it was overridden with
|
|
G_TLS_GNUTLS_PRIORITY).
|
|
|
|
https://bugzilla.gnome.org/show_bug.cgi?id=740087
|
|
---
|
|
tls/gnutls/gtlsconnection-gnutls.c | 23 +++++++++++++++++++----
|
|
1 file changed, 19 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/tls/gnutls/gtlsconnection-gnutls.c b/tls/gnutls/gtlsconnection-gnutls.c
|
|
index 444ca36..7436451 100644
|
|
--- a/tls/gnutls/gtlsconnection-gnutls.c
|
|
+++ b/tls/gnutls/gtlsconnection-gnutls.c
|
|
@@ -197,6 +197,8 @@ g_tls_connection_gnutls_init (GTlsConnectionGnutls *gnutls)
|
|
/* First field is "fallback", second is "allow unsafe rehandshaking" */
|
|
static gnutls_priority_t priorities[2][2];
|
|
|
|
+#define DEFAULT_BASE_PRIORITY "NORMAL:%COMPAT:%LATEST_RECORD_VERSION"
|
|
+
|
|
static void
|
|
g_tls_connection_gnutls_init_priorities (void)
|
|
{
|
|
@@ -207,12 +209,12 @@ g_tls_connection_gnutls_init_priorities (void)
|
|
|
|
base_priority = g_getenv ("G_TLS_GNUTLS_PRIORITY");
|
|
if (!base_priority)
|
|
- base_priority = "NORMAL:%COMPAT";
|
|
+ base_priority = DEFAULT_BASE_PRIORITY;
|
|
ret = gnutls_priority_init (&priorities[FALSE][FALSE], base_priority, NULL);
|
|
if (ret == GNUTLS_E_INVALID_REQUEST)
|
|
{
|
|
g_warning ("G_TLS_GNUTLS_PRIORITY is invalid; ignoring!");
|
|
- base_priority = "NORMAL:%COMPAT";
|
|
+ base_priority = DEFAULT_BASE_PRIORITY;
|
|
gnutls_priority_init (&priorities[FALSE][FALSE], base_priority, NULL);
|
|
}
|
|
|
|
@@ -236,8 +238,21 @@ g_tls_connection_gnutls_init_priorities (void)
|
|
}
|
|
else
|
|
{
|
|
- fallback_priority = g_strdup_printf ("%s:!VERS-TLS-ALL:+VERS-%s",
|
|
- base_priority,
|
|
+ gchar *cleaned_base, *p, *rest;
|
|
+
|
|
+ /* fallback_priority should be based on base_priority, except
|
|
+ * that we don't want %LATEST_RECORD_VERSION in it.
|
|
+ */
|
|
+ cleaned_base = g_strdup (base_priority);
|
|
+ p = strstr (cleaned_base, ":%LATEST_RECORD_VERSION");
|
|
+ if (p)
|
|
+ {
|
|
+ rest = p + strlen (":%LATEST_RECORD_VERSION");
|
|
+ memmove (p, rest, strlen (rest) + 1);
|
|
+ }
|
|
+
|
|
+ fallback_priority = g_strdup_printf ("%s:%%COMPAT:!VERS-TLS-ALL:+VERS-%s",
|
|
+ cleaned_base,
|
|
gnutls_protocol_get_name (fallback_proto));
|
|
}
|
|
fallback_unsafe_rehandshake_priority = g_strdup_printf ("%s:%%UNSAFE_RENEGOTIATION",
|
|
--
|
|
2.1.0
|
|
|