download: Add "%COMPAT" to the priority string.

Fixes <http://bugs.gnu.org/23311>. * guix/build/download.scm (tls-wrap): Add 'set-session-priorities!' call.
author: Ludovic Courtès <ludo@gnu.org> 2016-04-20 13:12:57 +0200
committer: Ludovic Courtès <ludo@gnu.org> 2016-04-20 13:17:52 +0200
commit: 967ee481e893fd77ff8ca896188e20e425331bf2 (patch)
tree: 68a1215e7680c0a5b2b833fa5a9b2aadc38cd870 /guix/build/download.scm
parent: 083b3a0e25a5369ac663081446a2f420cd2dbd6f (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/guix/build/download.scm b/guix/build/download.scm
index bd354a6985..e00fa04e35 100644
--- a/guix/build/download.scm
+++ b/guix/build/download.scm
@@ -274,6 +274,13 @@ host name without trailing dot."
 
     (set-session-transport-fd! session (fileno port))
     (set-session-default-priority! session)
+
+    ;; The "%COMPAT" bit allows us to work around firewall issues (info
+    ;; "(gnutls) Priority Strings"); see <http://bugs.gnu.org/23311>.
+    ;; Explicitly disable SSLv3, which is insecure:
+    ;; <https://tools.ietf.org/html/rfc7568>.
+    (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0")
+
     (set-session-credentials! session (make-certificate-credentials))
 
     ;; Uncomment the following lines in case of debugging emergency.
author	Ludovic Courtès <ludo@gnu.org>	2016-04-20 13:12:57 +0200
committer	Ludovic Courtès <ludo@gnu.org>	2016-04-20 13:17:52 +0200
commit	967ee481e893fd77ff8ca896188e20e425331bf2 (patch)
tree	68a1215e7680c0a5b2b833fa5a9b2aadc38cd870 /guix/build/download.scm
parent	083b3a0e25a5369ac663081446a2f420cd2dbd6f (diff)