Difuse/telephony
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
telephony/libs/iksemel/patches/002-secure_gnutls_options.patch
Sebastian Kemper 629005d093 iksemel: fixes and cleanups 
- Currently iksemel doesn't recognize gnutls anymore. Fix that by
  substituting the currently used patches with one that also Debian is
  using. It allows gnutls detection via pkgconfig.
- Add another patch Debian is using to enable secure gnutls options.
- Update project URL.
- Remove unneeded flags and Build/Prepare customizations.
- Cleanup DEPENDS.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2017-10-08 10:53:57 +02:00

38 lines
1.6 KiB
Diff
Raw Permalink Blame History

Last-Update: 2015-10-28
Bug-Upstream: https://github.com/meduketto/iksemel/issues/48
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803204
From: Marc Dequènes (duck) <duck@duckcorp.org>
Description: fix security problem (and compatibility problem with servers rejecting low grade ciphers).
--- a/src/stream.c
+++ b/src/stream.c
@@ -62,13 +62,9 @@
static int
handshake (struct stream_data *data)
{
- const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
- const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
- const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0};
- const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
- const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
+ const char *priority_string = "SECURE256:+SECURE192:-VERS-TLS-ALL:+VERS-TLS1.2";
int ret;
if (gnutls_global_init () != 0)
return IKS_NOMEM;
@@ -79,13 +75,9 @@
if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) {
gnutls_certificate_free_credentials (data->cred);
return IKS_NOMEM;
}
- gnutls_protocol_set_priority (data->sess, protocol_priority);
- gnutls_cipher_set_priority(data->sess, cipher_priority);
- gnutls_compression_set_priority(data->sess, comp_priority);
- gnutls_kx_set_priority(data->sess, kx_priority);
- gnutls_mac_set_priority(data->sess, mac_priority);
+ gnutls_priority_set_direct(data->sess, priority_string, NULL);
gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred);
gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push);
gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull);
Reference in a new issue View git blame Copy permalink