[glib-networking] gnutls: Stop using %LATEST_RECORD_VERSION in priority string

From: Michael Catanzaro <mcatanzaro src gnome org>
To: commits-list gnome org
Cc:
Subject: [glib-networking] gnutls: Stop using %LATEST_RECORD_VERSION in priority string
Date: Tue, 16 May 2017 16:53:37 +0000 (UTC)

commit c0aaea9962fbb4788ea94a55b35188f3c193e123
Author: Michael Catanzaro <mcatanzaro igalia com>
Date:   Mon May 15 20:29:27 2017 -0500

    gnutls: Stop using %LATEST_RECORD_VERSION in priority string
    
    This was added after POODLE to deal with broken servers that conflated
    TLS record version with protocol version and started blocking clients
    that used the SSLv3 record version. Now that SSLv3 is no longer enabled
    by WebKit or newer versions of GnuTLS, there is no longer any reason
    to keep doing this, and it's breaking interoperability with other broken
    servers. Remove it.
    
    This also adds a comment to clarify the confusing duplication of
    %COMPAT in the fallback priority string.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=782218

 tls/gnutls/gtlsconnection-gnutls.c |   21 ++++-----------------
 1 files changed, 4 insertions(+), 17 deletions(-)
---
diff --git a/tls/gnutls/gtlsconnection-gnutls.c b/tls/gnutls/gtlsconnection-gnutls.c
index ca4730b..51ac2fa 100644
--- a/tls/gnutls/gtlsconnection-gnutls.c
+++ b/tls/gnutls/gtlsconnection-gnutls.c
@@ -213,7 +213,7 @@ g_tls_connection_gnutls_init (GTlsConnectionGnutls *gnutls)
 /* First field is "fallback", second is "allow unsafe rehandshaking" */
 static gnutls_priority_t priorities[2][2];
 
-#define DEFAULT_BASE_PRIORITY "NORMAL:%COMPAT:%LATEST_RECORD_VERSION"
+#define DEFAULT_BASE_PRIORITY "NORMAL:%COMPAT"
 
 static void
 g_tls_connection_gnutls_init_priorities (void)
@@ -255,24 +255,11 @@ g_tls_connection_gnutls_init_priorities (void)
     }
   else
     {
-      gchar *cleaned_base, *p, *rest;
-
-      /* fallback_priority should be based on base_priority, except
-       * that we don't want %LATEST_RECORD_VERSION in it.
-       */
-      cleaned_base = g_strdup (base_priority);
-      p = strstr (cleaned_base, ":%LATEST_RECORD_VERSION");
-      if (p)
-       {
-         rest = p + strlen (":%LATEST_RECORD_VERSION");
-         memmove (p, rest, strlen (rest) + 1);
-       }
-
+      /* %COMPAT is intentionally duplicated here, to ensure it gets added for
+       * the fallback even if the default priority has been changed. */
       fallback_priority = g_strdup_printf ("%s:%%COMPAT:!VERS-TLS-ALL:+VERS-%s",
-                                          cleaned_base,
+                                          DEFAULT_BASE_PRIORITY,
                                           gnutls_protocol_get_name (fallback_proto));
-
-      g_free (cleaned_base);
     }
   fallback_unsafe_rehandshake_priority = g_strdup_printf ("%s:%%UNSAFE_RENEGOTIATION",
                                                          fallback_priority);

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]