guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: download: Ask not to use TLS 1.3.

From: guix-commits
Subject: 01/01: download: Ask not to use TLS 1.3.
Date: Sat, 26 Jan 2019 17:20:46 -0500 (EST) 
civodul pushed a commit to branch staging
in repository guix.

commit e4ee84202633636b4c8cef4a332f0c74912a3b23
Author: Ludovic Courtès <address@hidden>
Date:   Sat Jan 26 23:14:12 2019 +0100

    download: Ask not to use TLS 1.3.
    
    Works around <https://bugs.gnu.org/34102>.
    Reported by Marius Bakke <address@hidden>.
    
    * guix/build/download.scm (tls-wrap): Add "-VERS-TLS1.3" to the priority
    string when (gnutls-version) is not prefixed by "3.5".
---
 guix/build/download.scm | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/guix/build/download.scm b/guix/build/download.scm
index c08221b..a64e0f0 100644
--- a/guix/build/download.scm
+++ b/guix/build/download.scm
@@ -157,7 +157,8 @@ out if the connection could not be established in less than 
TIMEOUT seconds."
 ;; XXX: Use this hack instead of #:autoload to avoid compilation errors.
 ;; See <http://bugs.gnu.org/12202>.
 (module-autoload! (current-module)
-                  '(gnutls) '(make-session connection-end/client))
+                  '(gnutls)
+                  '(gnutls-version make-session connection-end/client))
 
 (define %tls-ports
   ;; Mapping of session record ports to the underlying file port.
@@ -268,7 +269,18 @@ host name without trailing dot."
     ;; "(gnutls) Priority Strings"); see <http://bugs.gnu.org/23311>.
     ;; Explicitly disable SSLv3, which is insecure:
     ;; <https://tools.ietf.org/html/rfc7568>.
-    (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0")
+    ;;
+    ;; FIXME: Since we currently fail to handle TLS 1.3 (with GnuTLS 3.6.5),
+    ;; remove it; see <https://bugs.gnu.org/34102>.
+    (set-session-priorities! session
+                             (string-append
+                              "NORMAL:%COMPAT:-VERS-SSL3.0"
+
+                              ;; The "VERS-TLS1.3" priority string is not
+                              ;; supported by GnuTLS 3.5.
+                              (if (string-prefix? "3.5." (gnutls-version))
+                                  ""
+                                  ":-VERS-TLS1.3")))
 
     (set-session-credentials! session
                               (if (and verify-certificate? ca-certs)
reply via email to
[Prev in Thread] Current Thread [Next in Thread]