diff options
author | Ludovic Courtès <ludo@gnu.org> | 2021-06-18 15:43:12 +0200 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2021-06-18 17:40:10 +0200 |
commit | caf4a7a2770ef4d05a6e18f40d602e51da749ddc (patch) | |
tree | ccb3dd9fb430cc8c71c620671d90f4569dce0827 /gnu/packages/patches | |
parent | 299c3c18603f4f92f187908ad48eeb6e5b3b6630 (diff) |
gnu: curl@7.77.0: Provide a correct TLS priority string.
Fixes <https://bugs.gnu.org/49035>.
* gnu/packages/patches/curl-7.77-tls-priority-string.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/curl.scm (curl-7.77.0)[source]: Use it.
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/curl-7.77-tls-priority-string.patch | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/gnu/packages/patches/curl-7.77-tls-priority-string.patch b/gnu/packages/patches/curl-7.77-tls-priority-string.patch new file mode 100644 index 0000000000..bf1bfa8aaa --- /dev/null +++ b/gnu/packages/patches/curl-7.77-tls-priority-string.patch @@ -0,0 +1,98 @@ +cURL 7.77.0 would use a bogus TLS priority string favoring older TLS +protocol versions, which in turn would prevent access to bitbucket.org: + + https://issues.guix.gnu.org/49035 + https://github.com/curl/curl/pull/7278 + +This patch fixes it. +From <https://github.com/curl/curl/pull/7278/commits/b98f79f6ecdb708c67f9a0cec56ce48952a54556>. + +From b98f79f6ecdb708c67f9a0cec56ce48952a54556 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 18 Jun 2021 14:54:07 +0200 +Subject: [PATCH] gnutls: set the prefer ciphers in correct order + +Reported-by: civodul on github +Assisted-by: Nikos Mavrogiannopoulos +Fixes #7277 +--- + lib/vtls/gtls.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index d9bc5611e8f9..da2af64955c3 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -330,6 +330,9 @@ set_ssl_version_min_max(struct Curl_easy *data, + ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2; + } + } ++ else if(ssl_version_max == CURL_SSLVERSION_MAX_DEFAULT) { ++ ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_3; ++ } + + switch(ssl_version | ssl_version_max) { + case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_0: +@@ -338,11 +341,11 @@ set_ssl_version_min_max(struct Curl_easy *data, + return CURLE_OK; + case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_1: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.0:+VERS-TLS1.1"; ++ "+VERS-TLS1.1:+VERS-TLS1.0"; + return CURLE_OK; + case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_2: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2"; ++ "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0"; + return CURLE_OK; + case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_1: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +@@ -350,7 +353,7 @@ set_ssl_version_min_max(struct Curl_easy *data, + return CURLE_OK; + case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_2: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.1:+VERS-TLS1.2"; ++ "+VERS-TLS1.2:+VERS-TLS1.1"; + return CURLE_OK; + case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_TLSv1_2: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +@@ -360,25 +363,17 @@ set_ssl_version_min_max(struct Curl_easy *data, + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" + "+VERS-TLS1.3"; + return CURLE_OK; +- case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_DEFAULT: +- *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2" +- ":+VERS-TLS1.3"; ++ case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_3: ++ *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0"; + return CURLE_OK; +- case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_DEFAULT: ++ case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_3: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.1:+VERS-TLS1.2" +- ":+VERS-TLS1.3"; ++ "+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1"; + return CURLE_OK; +- case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT: ++ case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_TLSv1_3: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.2" +- ":+VERS-TLS1.3"; ++ "+VERS-TLS1.3:+VERS-TLS1.2"; + return CURLE_OK; +- case CURL_SSLVERSION_TLSv1_3 | CURL_SSLVERSION_MAX_DEFAULT: +- *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.2" +- ":+VERS-TLS1.3"; + return CURLE_OK; + } + +@@ -608,6 +603,7 @@ gtls_connect_step1(struct Curl_easy *data, + } + else { + #endif ++ infof(data, "GnuTLS ciphers: %s\n", prioritylist); + rc = gnutls_priority_set_direct(session, prioritylist, &err); + #ifdef HAVE_GNUTLS_SRP + } |