gnutls: enforced use of SSLv3 With advice from Nikos Mavrogiannopoulos, changed the priority string to add "actual priorities" and favour ARCFOUR. This makes libcurl work better when enforcing SSLv3 with GnuTLS. Both in the sense that the libmicrohttpd test is now working again but also that it mitigates a weakness in the older SSL/TLS protocols. Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html Reported by: Christian Grothoff

commit: 70f71bb99f7ed9f4164430507c0b03b84c7e0258 [log] [tgz]
author: Daniel Stenberg <daniel@haxx.se> Mon Jan 23 23:53:06 2012 +0100
committer: Daniel Stenberg <daniel@haxx.se> Tue Jan 24 08:54:26 2012 +0100
tree: d96c0897cf3aefbe60b8ffa2c24d4b43a1457b87
parent: c11c30a8c8d727dcf5634fa0cc6ee0b4b77ddc3d [diff]
diff --git a/lib/gtls.c b/lib/gtls.c
index f44fd77..e24e7a8 100644
--- a/lib/gtls.c
+++ b/lib/gtls.c

@@ -453,7 +453,13 @@
     rc = gnutls_protocol_set_priority(session, protocol_priority);
 #else
     const char *err;
-    rc = gnutls_priority_set_direct(session, "-VERS-TLS-ALL:+VERS-SSL3.0",
+    /* the combination of the cipher ARCFOUR with SSL 3.0 and TLS 1.0 is not
+       vulnerable to attacks such as the BEAST, why this code now explicitly
+       asks for that
+    */
+    rc = gnutls_priority_set_direct(session,
+                                    "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0:"
+                                    "-CIPHER-ALL:+ARCFOUR-128",
                                     &err);
 #endif
     if(rc != GNUTLS_E_SUCCESS)
commit	70f71bb99f7ed9f4164430507c0b03b84c7e0258	[log] [tgz]
author	Daniel Stenberg <daniel@haxx.se>	Mon Jan 23 23:53:06 2012 +0100
committer	Daniel Stenberg <daniel@haxx.se>	Tue Jan 24 08:54:26 2012 +0100
tree	d96c0897cf3aefbe60b8ffa2c24d4b43a1457b87
parent	c11c30a8c8d727dcf5634fa0cc6ee0b4b77ddc3d [diff]