Commit 70f71bb9 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

gnutls: enforced use of SSLv3 

With advice from Nikos Mavrogiannopoulos, changed the priority string to
add "actual priorities" and favour ARCFOUR. This makes libcurl work
better when enforcing SSLv3 with GnuTLS. Both in the sense that the
libmicrohttpd test is now working again but also that it mitigates a
weakness in the older SSL/TLS protocols.

Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html
Reported by: Christian Grothoff
parent c11c30a8

lib/gtls.c

+7 −1
Original line number Diff line number Diff line
@@ -453,7 +453,13 @@ gtls_connect_step1(struct connectdata *conn, 
    rc = gnutls_protocol_set_priority(session, protocol_priority);

#else

    const char *err;

    rc = gnutls_priority_set_direct(session, "-VERS-TLS-ALL:+VERS-SSL3.0",

    /* the combination of the cipher ARCFOUR with SSL 3.0 and TLS 1.0 is not

       vulnerable to attacks such as the BEAST, why this code now explicitly

       asks for that

    */

    rc = gnutls_priority_set_direct(session,

                                    "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0:"

                                    "-CIPHER-ALL:+ARCFOUR-128",

                                    &err);

#endif

    if(rc != GNUTLS_E_SUCCESS)