moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-11-10 11:35:07 -05:00
Code Issues Releases Wiki Activity

gnutls: enforced use of SSLv3

Browse Source 
With advice from Nikos Mavrogiannopoulos, changed the priority string to
add "actual priorities" and favour ARCFOUR. This makes libcurl work
better when enforcing SSLv3 with GnuTLS. Both in the sense that the
libmicrohttpd test is now working again but also that it mitigates a
weakness in the older SSL/TLS protocols.

Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html
Reported by: Christian Grothoff
This commit is contained in:
Daniel Stenberg 2012-01-23 23:53:06 +01:00
parent c11c30a8c8
commit 70f71bb99f
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/gtls.c
View File

@ -453,7 +453,13 @@ gtls_connect_step1(struct connectdata *conn,
rc = gnutls_protocol_set_priority(session, protocol_priority); rc = gnutls_protocol_set_priority(session, protocol_priority);
#else #else
const char *err; const char *err;
rc = gnutls_priority_set_direct(session, "-VERS-TLS-ALL:+VERS-SSL3.0", /* the combination of the cipher ARCFOUR with SSL 3.0 and TLS 1.0 is not
vulnerable to attacks such as the BEAST, why this code now explicitly
asks for that
*/
rc = gnutls_priority_set_direct(session,
"NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0:"
"-CIPHER-ALL:+ARCFOUR-128",
&err); &err);
#endif #endif
if(rc != GNUTLS_E_SUCCESS) if(rc != GNUTLS_E_SUCCESS)