>From 19f2947395f5c73c986f993c2b2f570ebe06b3cb Mon Sep 17 00:00:00 2001
From: Tim Ruehsen <address@hidden>
Date: Mon, 9 Sep 2013 10:36:09 +0200
Subject: [PATCH] better backport availability for PFS feature

---
 src/ChangeLog | 6 ++++++
 src/gnutls.c  | 6 +++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 787c9c6..ed8ebef 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,9 @@
+2013-09-09  Tim Ruehsen  <address@hidden>
+
+	* gnutls.c (ssl_connect_wget): changed checking of option "PFS"
+	  to be better prepared for some kinds of backports.
+	  Reported by: Daniel Kahn Gillmor <address@hidden>
+
 2013-09-07  Tim Ruehsen  <address@hidden>
 
 	* gnutls.c (ssl_connect_wget): use gnutls_check_version()
diff --git a/src/gnutls.c b/src/gnutls.c
index 94dfaed..9b4b1ec 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -443,9 +443,9 @@ ssl_connect_wget (int fd, const char *hostname)
       err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0", NULL);
       break;
     case secure_protocol_pfs:
-      if (gnutls_check_version("3.2.4"))
-        err = gnutls_priority_set_direct (session, "PFS", NULL);
-      else
+      err = gnutls_priority_set_direct (session, "PFS", NULL);
+      if (err != GNUTLS_E_SUCCESS)
+        /* fallback if PFS is not available */
         err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
       break;
     default:
-- 
1.8.4.rc3