mirror of
https://github.com/moparisthebest/curl
synced 2024-12-22 16:18:48 -05:00
gnutls: enforced use of SSLv3
With advice from Nikos Mavrogiannopoulos, changed the priority string to add "actual priorities" and favour ARCFOUR. This makes libcurl work better when enforcing SSLv3 with GnuTLS. Both in the sense that the libmicrohttpd test is now working again but also that it mitigates a weakness in the older SSL/TLS protocols. Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html Reported by: Christian Grothoff
This commit is contained in:
parent
c11c30a8c8
commit
70f71bb99f
@ -453,7 +453,13 @@ gtls_connect_step1(struct connectdata *conn,
|
|||||||
rc = gnutls_protocol_set_priority(session, protocol_priority);
|
rc = gnutls_protocol_set_priority(session, protocol_priority);
|
||||||
#else
|
#else
|
||||||
const char *err;
|
const char *err;
|
||||||
rc = gnutls_priority_set_direct(session, "-VERS-TLS-ALL:+VERS-SSL3.0",
|
/* the combination of the cipher ARCFOUR with SSL 3.0 and TLS 1.0 is not
|
||||||
|
vulnerable to attacks such as the BEAST, why this code now explicitly
|
||||||
|
asks for that
|
||||||
|
*/
|
||||||
|
rc = gnutls_priority_set_direct(session,
|
||||||
|
"NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0:"
|
||||||
|
"-CIPHER-ALL:+ARCFOUR-128",
|
||||||
&err);
|
&err);
|
||||||
#endif
|
#endif
|
||||||
if(rc != GNUTLS_E_SUCCESS)
|
if(rc != GNUTLS_E_SUCCESS)
|
||||||
|
Loading…
Reference in New Issue
Block a user