diff options
| author | Marius Bakke <marius@gnu.org> | 2021-06-19 17:38:47 +0200 |
|---|---|---|
| committer | Marius Bakke <marius@gnu.org> | 2021-06-19 17:38:47 +0200 |
| commit | 6f9a80b331ae41d142a49fbeb94b90ee587b6155 (patch) | |
| tree | 2da042a6ccf5368c73d6e3d54c2ee02a62d284e4 /gnu/packages/patches/curl-7.77-tls-priority-string.patch | |
| parent | 6500c9a5b364616e38a7e03aa4516fc2d7cee876 (diff) | |
| parent | dece03e2b98fc1c2428c2448ce5792f813eb79bf (diff) | |
| download | guix-6f9a80b331ae41d142a49fbeb94b90ee587b6155.tar.gz | |
Merge branch 'master' into core-updates
Note: this merge actually changes the 'curl' and 'python-attrs' derivations, as part of solving caf4a7a2770ef4d05a6e18f40d602e51da749ddc and 12964df69a99de6190422c752fef65ef813f3b6b respectively. 4604d43c0e (gnu: gnutls@3.6.16: Fix cross-compilation.) was ignored because it cannot currently be tested. Conflicts: gnu/local.mk gnu/packages/aidc.scm gnu/packages/boost.scm gnu/packages/curl.scm gnu/packages/nettle.scm gnu/packages/networking.scm gnu/packages/python-xyz.scm gnu/packages/tls.scm
Diffstat (limited to 'gnu/packages/patches/curl-7.77-tls-priority-string.patch')
| -rw-r--r-- | gnu/packages/patches/curl-7.77-tls-priority-string.patch | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/gnu/packages/patches/curl-7.77-tls-priority-string.patch b/gnu/packages/patches/curl-7.77-tls-priority-string.patch new file mode 100644 index 0000000000..bf1bfa8aaa --- /dev/null +++ b/gnu/packages/patches/curl-7.77-tls-priority-string.patch @@ -0,0 +1,98 @@ +cURL 7.77.0 would use a bogus TLS priority string favoring older TLS +protocol versions, which in turn would prevent access to bitbucket.org: + + https://issues.guix.gnu.org/49035 + https://github.com/curl/curl/pull/7278 + +This patch fixes it. +From <https://github.com/curl/curl/pull/7278/commits/b98f79f6ecdb708c67f9a0cec56ce48952a54556>. + +From b98f79f6ecdb708c67f9a0cec56ce48952a54556 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 18 Jun 2021 14:54:07 +0200 +Subject: [PATCH] gnutls: set the prefer ciphers in correct order + +Reported-by: civodul on github +Assisted-by: Nikos Mavrogiannopoulos +Fixes #7277 +--- + lib/vtls/gtls.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index d9bc5611e8f9..da2af64955c3 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -330,6 +330,9 @@ set_ssl_version_min_max(struct Curl_easy *data, + ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2; + } + } ++ else if(ssl_version_max == CURL_SSLVERSION_MAX_DEFAULT) { ++ ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_3; ++ } + + switch(ssl_version | ssl_version_max) { + case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_0: +@@ -338,11 +341,11 @@ set_ssl_version_min_max(struct Curl_easy *data, + return CURLE_OK; + case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_1: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.0:+VERS-TLS1.1"; ++ "+VERS-TLS1.1:+VERS-TLS1.0"; + return CURLE_OK; + case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_2: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2"; ++ "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0"; + return CURLE_OK; + case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_1: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +@@ -350,7 +353,7 @@ set_ssl_version_min_max(struct Curl_easy *data, + return CURLE_OK; + case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_2: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.1:+VERS-TLS1.2"; ++ "+VERS-TLS1.2:+VERS-TLS1.1"; + return CURLE_OK; + case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_TLSv1_2: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +@@ -360,25 +363,17 @@ set_ssl_version_min_max(struct Curl_easy *data, + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" + "+VERS-TLS1.3"; + return CURLE_OK; +- case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_DEFAULT: +- *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2" +- ":+VERS-TLS1.3"; ++ case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_3: ++ *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0"; + return CURLE_OK; +- case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_DEFAULT: ++ case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_3: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.1:+VERS-TLS1.2" +- ":+VERS-TLS1.3"; ++ "+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1"; + return CURLE_OK; +- case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT: ++ case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_TLSv1_3: + *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.2" +- ":+VERS-TLS1.3"; ++ "+VERS-TLS1.3:+VERS-TLS1.2"; + return CURLE_OK; +- case CURL_SSLVERSION_TLSv1_3 | CURL_SSLVERSION_MAX_DEFAULT: +- *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" +- "+VERS-TLS1.2" +- ":+VERS-TLS1.3"; + return CURLE_OK; + } + +@@ -608,6 +603,7 @@ gtls_connect_step1(struct Curl_easy *data, + } + else { + #endif ++ infof(data, "GnuTLS ciphers: %s\n", prioritylist); + rc = gnutls_priority_set_direct(session, prioritylist, &err); + #ifdef HAVE_GNUTLS_SRP + } |