From e4ee84202633636b4c8cef4a332f0c74912a3b23 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sat, 26 Jan 2019 23:14:12 +0100 Subject: download: Ask not to use TLS 1.3. Works around . Reported by Marius Bakke . * guix/build/download.scm (tls-wrap): Add "-VERS-TLS1.3" to the priority string when (gnutls-version) is not prefixed by "3.5". --- guix/build/download.scm | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'guix/build') diff --git a/guix/build/download.scm b/guix/build/download.scm index c08221b3b2..a64e0f0bd3 100644 --- a/guix/build/download.scm +++ b/guix/build/download.scm @@ -157,7 +157,8 @@ out if the connection could not be established in less than TIMEOUT seconds." ;; XXX: Use this hack instead of #:autoload to avoid compilation errors. ;; See . (module-autoload! (current-module) - '(gnutls) '(make-session connection-end/client)) + '(gnutls) + '(gnutls-version make-session connection-end/client)) (define %tls-ports ;; Mapping of session record ports to the underlying file port. @@ -268,7 +269,18 @@ host name without trailing dot." ;; "(gnutls) Priority Strings"); see . ;; Explicitly disable SSLv3, which is insecure: ;; . - (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0") + ;; + ;; FIXME: Since we currently fail to handle TLS 1.3 (with GnuTLS 3.6.5), + ;; remove it; see . + (set-session-priorities! session + (string-append + "NORMAL:%COMPAT:-VERS-SSL3.0" + + ;; The "VERS-TLS1.3" priority string is not + ;; supported by GnuTLS 3.5. + (if (string-prefix? "3.5." (gnutls-version)) + "" + ":-VERS-TLS1.3"))) (set-session-credentials! session (if (and verify-certificate? ca-certs) -- cgit v1.2.3