diff options
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/curl.scm | 5 | ||||
-rw-r--r-- | gnu/packages/patches/curl-7.77-tls-priority-string.patch | 98 |
3 files changed, 102 insertions, 2 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 918c8515ac..fec88aa3a2 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -931,6 +931,7 @@ dist_patch_DATA = \ %D%/packages/patches/cube-nocheck.patch \ %D%/packages/patches/curl-use-ssl-cert-env.patch \ %D%/packages/patches/curl-7.76-use-ssl-cert-env.patch \ + %D%/packages/patches/curl-7.77-tls-priority-string.patch \ %D%/packages/patches/cursynth-wave-rand.patch \ %D%/packages/patches/cvs-CVE-2017-12836.patch \ %D%/packages/patches/cyrus-sasl-ac-try-run-fix.patch \ diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index 76b9b9840c..d368c4140e 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -2,7 +2,7 @@ ;;; Copyright © 2013, 2014, 2015 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2015 Tomáš Čech <sleep_walker@suse.cz> -;;; Copyright © 2015, 2020 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2015, 2020, 2021 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2016, 2017, 2019 Leo Famulari <leo@famulari.name> ;;; Copyright © 2017, 2019, 2020 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il> @@ -161,7 +161,8 @@ tunneling, and so on.") (inherit (package-source curl)) (uri (string-append "https://curl.haxx.se/download/curl-" version ".tar.xz")) - (patches (search-patches "curl-7.76-use-ssl-cert-env.patch")) + (patches (search-patches "curl-7.76-use-ssl-cert-env.patch" + "curl-7.77-tls-priority-string.patch")) (sha256 (base32 "0jsrc97vbghvljic997r9nypc9qqddcil2lzvv032br8ahn5hr0g")))))) diff --git a/gnu/packages/patches/curl-7.77-tls-priority-string.patch b/gnu/packages/patches/curl-7.77-tls-priority-string.patch new file mode 100644 index 0000000000..bf1bfa8aaa --- /dev/null +++ b/gnu/packages/patches/curl-7.77-tls-priority-string.patch @@ -0,0 +1,98 @@ +cURL 7.77.0 would use a bogus TLS priority string favoring older TLS +protocol versions, which in turn would prevent access to bitbucket.org: + + https://issues.guix.gnu.org/49035 + https://github.com/curl/curl/pull/7278 + +This patch fixes it. +From <https://github.com/curl/curl/pull/7278/commits/b98f79f6ecdb708c67f9a0cec56ce48952a54556>. + +From b98f79f6ecdb708c67f9a0cec56ce48952a54556 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 18 Jun 2021 14:54:07 +0200 +Subject: [PATCH] gnutls: set the prefer ciphers in correct order + +Reported-by: civodul on github +Assisted-by: Nikos Mavrogiannopoulos +Fixes #7277 +--- + lib/vtls/gtls.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index d9bc5611e8f9..da2af64955c3 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -330,6 +330,9 @@ set_ssl_version_min_max(struct Curl_easy *data, + ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2; + } + } ++ else if(ssl_version_max == CURL_SSLVERSION_MAX_DEFAULT) { ++ ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_3; ++ } + + switch(ssl_version | ssl_version_max) { + case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_0: +@@ -338,11 +341,11 @@ set_ssl_version_min_max(struct Curl_easy *data, + return CURLE_OK; + case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_1: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.0:+VERS-TLS1.1"; ++ "+VERS-TLS1.1:+VERS-TLS1.0"; + return CURLE_OK; + case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_2: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2"; ++ "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0"; + return CURLE_OK; + case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_1: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +@@ -350,7 +353,7 @@ set_ssl_version_min_max(struct Curl_easy *data, + return CURLE_OK; + case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_2: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.1:+VERS-TLS1.2"; ++ "+VERS-TLS1.2:+VERS-TLS1.1"; + return CURLE_OK; + case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_TLSv1_2: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +@@ -360,25 +363,17 @@ set_ssl_version_min_max(struct Curl_easy *data, + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" + "+VERS-TLS1.3"; + return CURLE_OK; +- case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_DEFAULT: +- *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2" +- ":+VERS-TLS1.3"; ++ case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_3: ++ *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0"; + return CURLE_OK; +- case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_DEFAULT: ++ case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_3: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.1:+VERS-TLS1.2" +- ":+VERS-TLS1.3"; ++ "+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1"; + return CURLE_OK; +- case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT: ++ case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_TLSv1_3: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.2" +- ":+VERS-TLS1.3"; ++ "+VERS-TLS1.3:+VERS-TLS1.2"; + return CURLE_OK; +- case CURL_SSLVERSION_TLSv1_3 | CURL_SSLVERSION_MAX_DEFAULT: +- *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.2" +- ":+VERS-TLS1.3"; + return CURLE_OK; + } + +@@ -608,6 +603,7 @@ gtls_connect_step1(struct Curl_easy *data, + } + else { + #endif ++ infof(data, "GnuTLS ciphers: %s\n", prioritylist); + rc = gnutls_priority_set_direct(session, prioritylist, &err); + #ifdef HAVE_GNUTLS_SRP + } |