| Last-Update: 2015-10-28 |
| Bug-Upstream: https://github.com/meduketto/iksemel/issues/48 |
| Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803204 |
| From: Marc Dequรจnes (duck) <duck@duckcorp.org> |
| Description: fix security problem (and compatibility problem with servers rejecting low grade ciphers). |
| |
| --- a/src/stream.c |
| +++ b/src/stream.c |
| @@ -62,13 +62,9 @@ |
| |
| static int |
| handshake (struct stream_data *data) |
| { |
| - const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; |
| - const int kx_priority[] = { GNUTLS_KX_RSA, 0 }; |
| - const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0}; |
| - const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; |
| - const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; |
| + const char *priority_string = "SECURE256:+SECURE192:-VERS-TLS-ALL:+VERS-TLS1.2"; |
| int ret; |
| |
| if (gnutls_global_init () != 0) |
| return IKS_NOMEM; |
| @@ -79,13 +75,9 @@ |
| if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) { |
| gnutls_certificate_free_credentials (data->cred); |
| return IKS_NOMEM; |
| } |
| - gnutls_protocol_set_priority (data->sess, protocol_priority); |
| - gnutls_cipher_set_priority(data->sess, cipher_priority); |
| - gnutls_compression_set_priority(data->sess, comp_priority); |
| - gnutls_kx_set_priority(data->sess, kx_priority); |
| - gnutls_mac_set_priority(data->sess, mac_priority); |
| + gnutls_priority_set_direct(data->sess, priority_string, NULL); |
| gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred); |
| |
| gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push); |
| gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull); |