gnutls: enforced use of SSLv3

With advice from Nikos Mavrogiannopoulos, changed the priority string to add "actual priorities" and favour ARCFOUR. This makes libcurl work better when enforcing SSLv3 with GnuTLS. Both in the sense that the libmicrohttpd test is now working again but also that it mitigates a weakness in the older SSL/TLS protocols. Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html Reported by: Christian Grothoff
2012-01-23 23:53:06 +01:00 · 2012-01-23 23:53:06 +01:00 · 70f71bb99f
--- a/lib/gtls.c
+++ b/lib/gtls.c
@ -453,7 +453,13 @@ gtls_connect_step1(struct connectdata *conn,
    rc = gnutls_protocol_set_priority(session, protocol_priority);
 #else
    const char *err;
-    rc = gnutls_priority_set_direct(session, "-VERS-TLS-ALL:+VERS-SSL3.0",
+    /* the combination of the cipher ARCFOUR with SSL 3.0 and TLS 1.0 is not
+       vulnerable to attacks such as the BEAST, why this code now explicitly
+       asks for that
+    */
+    rc = gnutls_priority_set_direct(session,
+                                    "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0:"
+                                    "-CIPHER-ALL:+ARCFOUR-128",
                                    &err);
 #endif
    if(rc != GNUTLS_E_SUCCESS)