diff options
author | Michael Catanzaro <mcatanzaro@igalia.com> | 2017-05-15 20:29:27 -0500 |
---|---|---|
committer | Michael Catanzaro <mcatanzaro@igalia.com> | 2017-05-15 20:35:49 -0500 |
commit | c0aaea9962fbb4788ea94a55b35188f3c193e123 (patch) | |
tree | df522594a7b12477994351f57dba8cb5827051cc | |
parent | 8c2a298a2aff62a7963ada2039829d6f0274f785 (diff) | |
download | glib-networking-c0aaea9962fbb4788ea94a55b35188f3c193e123.tar.gz |
gnutls: Stop using %LATEST_RECORD_VERSION in priority string
This was added after POODLE to deal with broken servers that conflated
TLS record version with protocol version and started blocking clients
that used the SSLv3 record version. Now that SSLv3 is no longer enabled
by WebKit or newer versions of GnuTLS, there is no longer any reason
to keep doing this, and it's breaking interoperability with other broken
servers. Remove it.
This also adds a comment to clarify the confusing duplication of
%COMPAT in the fallback priority string.
https://bugzilla.gnome.org/show_bug.cgi?id=782218
-rw-r--r-- | tls/gnutls/gtlsconnection-gnutls.c | 21 |
1 files changed, 4 insertions, 17 deletions
diff --git a/tls/gnutls/gtlsconnection-gnutls.c b/tls/gnutls/gtlsconnection-gnutls.c index ca4730b..51ac2fa 100644 --- a/tls/gnutls/gtlsconnection-gnutls.c +++ b/tls/gnutls/gtlsconnection-gnutls.c @@ -213,7 +213,7 @@ g_tls_connection_gnutls_init (GTlsConnectionGnutls *gnutls) /* First field is "fallback", second is "allow unsafe rehandshaking" */ static gnutls_priority_t priorities[2][2]; -#define DEFAULT_BASE_PRIORITY "NORMAL:%COMPAT:%LATEST_RECORD_VERSION" +#define DEFAULT_BASE_PRIORITY "NORMAL:%COMPAT" static void g_tls_connection_gnutls_init_priorities (void) @@ -255,24 +255,11 @@ g_tls_connection_gnutls_init_priorities (void) } else { - gchar *cleaned_base, *p, *rest; - - /* fallback_priority should be based on base_priority, except - * that we don't want %LATEST_RECORD_VERSION in it. - */ - cleaned_base = g_strdup (base_priority); - p = strstr (cleaned_base, ":%LATEST_RECORD_VERSION"); - if (p) - { - rest = p + strlen (":%LATEST_RECORD_VERSION"); - memmove (p, rest, strlen (rest) + 1); - } - + /* %COMPAT is intentionally duplicated here, to ensure it gets added for + * the fallback even if the default priority has been changed. */ fallback_priority = g_strdup_printf ("%s:%%COMPAT:!VERS-TLS-ALL:+VERS-%s", - cleaned_base, + DEFAULT_BASE_PRIORITY, gnutls_protocol_get_name (fallback_proto)); - - g_free (cleaned_base); } fallback_unsafe_rehandshake_priority = g_strdup_printf ("%s:%%UNSAFE_RENEGOTIATION", fallback_priority); |