diff options
author | Leo Famulari <leo@famulari.name> | 2016-01-05 19:26:25 -0500 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2016-01-07 02:35:38 -0500 |
commit | 62339e2d493bf87a3aabe12e45458581e9705d83 (patch) | |
tree | 31a9bd122f8827aa2cf349d87ea040bb5cca5b9e | |
parent | e6352001c444a82141ea4457e49e69a1c3f8b2bb (diff) | |
download | guix-62339e2d493bf87a3aabe12e45458581e9705d83.tar.gz |
gnu: w3m: Enable SSL, disable broken protocols and ciphers.
Fixes <http://bugs.gnu.org/16791>. * gnu/packages/patches/w3m-force-ssl_verify_server-on.patch: New file. * gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch: New file. * gnu/packages/patches/w3m-disable-weak-ciphers.patch: New file. * gnu/packages/w3m.scm (w3m)[source]: Add patches. * gnu-system.am (dist_patch_DATA): Add the new files.
-rw-r--r-- | gnu-system.am | 3 | ||||
-rw-r--r-- | gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch | 24 | ||||
-rw-r--r-- | gnu/packages/patches/w3m-disable-weak-ciphers.patch | 24 | ||||
-rw-r--r-- | gnu/packages/patches/w3m-force-ssl_verify_server-on.patch | 24 | ||||
-rw-r--r-- | gnu/packages/w3m.scm | 5 |
5 files changed, 79 insertions, 1 deletions
diff --git a/gnu-system.am b/gnu-system.am index bed041a946..7c4112a7e6 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -699,6 +699,9 @@ dist_patch_DATA = \ gnu/packages/patches/vpnc-script.patch \ gnu/packages/patches/vtk-mesa-10.patch \ gnu/packages/patches/w3m-libgc.patch \ + gnu/packages/patches/w3m-force-ssl_verify_server-on.patch \ + gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch \ + gnu/packages/patches/w3m-disable-weak-ciphers.patch \ gnu/packages/patches/webkitgtk-2.4-sql-init-string.patch \ gnu/packages/patches/weechat-python.patch \ gnu/packages/patches/weex-vacopy.patch \ diff --git a/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch new file mode 100644 index 0000000000..5b78f2d909 --- /dev/null +++ b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch @@ -0,0 +1,24 @@ +Subject: Disable SSLv2 and SSLv3. + +The only remaining methods are TLSv1.* (the code never distinguishes +between TLSv1.0, TLSv1.1, and TLSv1.2). +--- + fm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fm.h b/fm.h +index 320906c..ddcd4fc 100644 +--- a/fm.h ++++ b/fm.h +@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE); + #endif /* defined(USE_SSL) && + * defined(USE_SSL_VERIFY) */ + #ifdef USE_SSL +-global char *ssl_forbid_method init(NULL); ++global char *ssl_forbid_method init("2, 3"); + #endif + + global int is_redisplay init(FALSE); +-- +2.6.4 + diff --git a/gnu/packages/patches/w3m-disable-weak-ciphers.patch b/gnu/packages/patches/w3m-disable-weak-ciphers.patch new file mode 100644 index 0000000000..4780d54cb6 --- /dev/null +++ b/gnu/packages/patches/w3m-disable-weak-ciphers.patch @@ -0,0 +1,24 @@ +Subject: Disable weak ciphers + +Disable RC4, "export ciphers", and all keys < 128 bits. + +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/w3m/+bug/1325674 +--- + url.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/url.c b/url.c +index ed6062e..e86b1f3 100644 +--- a/url.c ++++ b/url.c +@@ -326,6 +326,7 @@ openSSLHandle(int sock, char *hostname, char **p_cert) + SSL_load_error_strings(); + if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method()))) + goto eend; ++ SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP"); + option = SSL_OP_ALL; + if (ssl_forbid_method) { + if (strchr(ssl_forbid_method, '2')) +-- +2.6.4 + diff --git a/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch new file mode 100644 index 0000000000..dc9f117f9d --- /dev/null +++ b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch @@ -0,0 +1,24 @@ +Subject: Force ssl_verify_server on. + +By default, SSL/TLS certificates are not verified. This enables the +verification. +--- + fm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fm.h b/fm.h +index 8378939..320906c 100644 +--- a/fm.h ++++ b/fm.h +@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE); + #endif + + #if defined(USE_SSL) && defined(USE_SSL_VERIFY) +-global int ssl_verify_server init(FALSE); ++global int ssl_verify_server init(TRUE); + global char *ssl_cert_file init(NULL); + global char *ssl_key_file init(NULL); + global char *ssl_ca_path init(NULL); +-- +2.6.4 + diff --git a/gnu/packages/w3m.scm b/gnu/packages/w3m.scm index 113bfc484c..45c9375def 100644 --- a/gnu/packages/w3m.scm +++ b/gnu/packages/w3m.scm @@ -44,7 +44,10 @@ "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579")) ;; cf. https://bugs.archlinux.org/task/33397 - (patches (list (search-patch "w3m-libgc.patch"))))) + (patches (list (search-patch "w3m-libgc.patch") + (search-patch "w3m-force-ssl_verify_server-on.patch") + (search-patch "w3m-disable-sslv2-and-sslv3.patch") + (search-patch "w3m-disable-weak-ciphers.patch"))))) (build-system gnu-build-system) (arguments `(#:tests? #f ; no check target #:phases (alist-cons-before |