gnutls: enforced use of SSLv3

With advice from Nikos Mavrogiannopoulos, changed the priority string to add "actual priorities" and favour ARCFOUR. This makes libcurl work better when enforcing SSLv3 with GnuTLS. Both in the sense that the libmicrohttpd test is now working again but also that it mitigates a weakness in the older SSL/TLS protocols. Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html Reported by: Christian Grothoff
author: Daniel Stenberg <daniel@haxx.se> 2012-01-23 23:53:06 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2012-01-24 08:54:26 +0100
commit: 70f71bb99f7ed9f4164430507c0b03b84c7e0258 (patch)
tree: d96c0897cf3aefbe60b8ffa2c24d4b43a1457b87
parent: c11c30a8c8d727dcf5634fa0cc6ee0b4b77ddc3d (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/lib/gtls.c b/lib/gtls.c
index f44fd7748..e24e7a81e 100644
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -453,7 +453,13 @@ gtls_connect_step1(struct connectdata *conn,
     rc = gnutls_protocol_set_priority(session, protocol_priority);
 #else
     const char *err;
-    rc = gnutls_priority_set_direct(session, "-VERS-TLS-ALL:+VERS-SSL3.0",
+    /* the combination of the cipher ARCFOUR with SSL 3.0 and TLS 1.0 is not
+       vulnerable to attacks such as the BEAST, why this code now explicitly
+       asks for that
+    */
+    rc = gnutls_priority_set_direct(session,
+                                    "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0:"
+                                    "-CIPHER-ALL:+ARCFOUR-128",
                                     &err);
 #endif
     if(rc != GNUTLS_E_SUCCESS)
author	Daniel Stenberg <daniel@haxx.se>	2012-01-23 23:53:06 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2012-01-24 08:54:26 +0100
commit	70f71bb99f7ed9f4164430507c0b03b84c7e0258 (patch)
tree	d96c0897cf3aefbe60b8ffa2c24d4b43a1457b87
parent	c11c30a8c8d727dcf5634fa0cc6ee0b4b77ddc3d (diff)