summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2019-01-26 23:14:12 +0100
committerLudovic Courtès <ludo@gnu.org>2019-01-26 23:18:14 +0100
commite4ee84202633636b4c8cef4a332f0c74912a3b23 (patch)
tree37c21679e3815749ff553e3bcbcc5dc85ebf6e01
parenta64676e088b20b3678c3b7b031139857e56f6658 (diff)
downloadpatches-e4ee84202633636b4c8cef4a332f0c74912a3b23.tar
patches-e4ee84202633636b4c8cef4a332f0c74912a3b23.tar.gz
download: Ask not to use TLS 1.3.
Works around <https://bugs.gnu.org/34102>. Reported by Marius Bakke <mbakke@fastmail.com>. * guix/build/download.scm (tls-wrap): Add "-VERS-TLS1.3" to the priority string when (gnutls-version) is not prefixed by "3.5".
-rw-r--r--guix/build/download.scm16
1 files changed, 14 insertions, 2 deletions
diff --git a/guix/build/download.scm b/guix/build/download.scm
index c08221b3b2..a64e0f0bd3 100644
--- a/guix/build/download.scm
+++ b/guix/build/download.scm
@@ -157,7 +157,8 @@ out if the connection could not be established in less than TIMEOUT seconds."
;; XXX: Use this hack instead of #:autoload to avoid compilation errors.
;; See <http://bugs.gnu.org/12202>.
(module-autoload! (current-module)
- '(gnutls) '(make-session connection-end/client))
+ '(gnutls)
+ '(gnutls-version make-session connection-end/client))
(define %tls-ports
;; Mapping of session record ports to the underlying file port.
@@ -268,7 +269,18 @@ host name without trailing dot."
;; "(gnutls) Priority Strings"); see <http://bugs.gnu.org/23311>.
;; Explicitly disable SSLv3, which is insecure:
;; <https://tools.ietf.org/html/rfc7568>.
- (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0")
+ ;;
+ ;; FIXME: Since we currently fail to handle TLS 1.3 (with GnuTLS 3.6.5),
+ ;; remove it; see <https://bugs.gnu.org/34102>.
+ (set-session-priorities! session
+ (string-append
+ "NORMAL:%COMPAT:-VERS-SSL3.0"
+
+ ;; The "VERS-TLS1.3" priority string is not
+ ;; supported by GnuTLS 3.5.
+ (if (string-prefix? "3.5." (gnutls-version))
+ ""
+ ":-VERS-TLS1.3")))
(set-session-credentials! session
(if (and verify-certificate? ca-certs)