gnutls: enforced use of SSLv3

With advice from Nikos Mavrogiannopoulos, changed the priority string to add "actual priorities" and favour ARCFOUR. This makes libcurl work better when enforcing SSLv3 with GnuTLS. Both in the sense that the libmicrohttpd test is now working again but also that it mitigates a weakness in the older SSL/TLS protocols. Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html Reported by: Christian Grothoff
2012-01-23 23:53:06 +01:00 · 2012-01-23 23:53:06 +01:00 · 70f71bb99f
parent c11c30a8c8
commit 70f71bb99f
1 changed files with 7 additions and 1 deletions
--- a/lib/gtls.c
+++ b/lib/gtls.c
@ -453,7 +453,13 @@ gtls_connect_step1(struct connectdata *conn,
    rc = gnutls_protocol_set_priority(session, protocol_priority);
 #else
    const char *err;
-    rc = gnutls_priority_set_direct(session, "-VERS-TLS-ALL:+VERS-SSL3.0",
+    /* the combination of the cipher ARCFOUR with SSL 3.0 and TLS 1.0 is not
+       vulnerable to attacks such as the BEAST, why this code now explicitly
+       asks for that
+    */
+    rc = gnutls_priority_set_direct(session,
+                                    "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0:"
+                                    "-CIPHER-ALL:+ARCFOUR-128",
                                    &err);
 #endif
    if(rc != GNUTLS_E_SUCCESS)