[packages/iksemel] - rel 5; from debian; fixes TLS connections in some cases - https://bugs.debian.org/cgi-bin/bugrepor

arekm arekm at pld-linux.org
Sat Nov 5 20:38:52 CET 2016 

commit f80e5d5b3da930f150a2b5dd5b9cc8bff65d6da0
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Sat Nov 5 20:38:47 2016 +0100

    - rel 5; from debian; fixes TLS connections in some cases - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803204

 iksemel.spec                |  4 +++-
 secure_gnutls_options.patch | 38 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 1 deletion(-)
---
diff --git a/iksemel.spec b/iksemel.spec
index aa85e38..b8b9b29 100644
--- a/iksemel.spec
+++ b/iksemel.spec
@@ -2,12 +2,13 @@ Summary:	Library for the Jabber instant-messaging IM platform
 Summary(pl.UTF-8):	Biblioteka dla platformy komunikacyjnej Jabbera
 Name:		iksemel
 Version:	1.4
-Release:	4
+Release:	5
 License:	LGPL
 Group:		Libraries
 Source0:	http://iksemel.googlecode.com/files/%{name}-%{version}.tar.gz
 # Source0-md5:	532e77181694f87ad5eb59435d11c1ca
 Patch0:		%{name}-configure.patch
+Patch1:		secure_gnutls_options.patch
 URL:		http://code.google.com/p/iksemel/
 BuildRequires:	autoconf >= 2.50
 BuildRequires:	automake
@@ -55,6 +56,7 @@ Statyczna wersja biblioteki Iksemel.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
 
 %build
 %{__libtoolize}
diff --git a/secure_gnutls_options.patch b/secure_gnutls_options.patch
new file mode 100644
index 0000000..bf09e17
--- /dev/null
+++ b/secure_gnutls_options.patch
@@ -0,0 +1,38 @@
+Last-Update: 2015-10-28
+Bug-Upstream: https://github.com/meduketto/iksemel/issues/48
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803204
+From: Marc Dequènes (duck) <duck at duckcorp.org>
+Description: fix security problem (and compatibility problem with servers rejecting low grade ciphers).
+
+--- a/src/stream.c
++++ b/src/stream.c
+@@ -62,13 +62,9 @@
+ 
+ static int
+ handshake (struct stream_data *data)
+ {
+-	const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
+-	const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
+-	const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0};
+-	const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
+-	const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
++	const char *priority_string = "SECURE256:+SECURE192:-VERS-TLS-ALL:+VERS-TLS1.2";
+ 	int ret;
+ 
+ 	if (gnutls_global_init () != 0)
+ 		return IKS_NOMEM;
+@@ -79,13 +75,9 @@
+ 	if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) {
+ 		gnutls_certificate_free_credentials (data->cred);
+ 		return IKS_NOMEM;
+ 	}
+-	gnutls_protocol_set_priority (data->sess, protocol_priority);
+-	gnutls_cipher_set_priority(data->sess, cipher_priority);
+-	gnutls_compression_set_priority(data->sess, comp_priority);
+-	gnutls_kx_set_priority(data->sess, kx_priority);
+-	gnutls_mac_set_priority(data->sess, mac_priority);
++	gnutls_priority_set_direct(data->sess, priority_string, NULL);
+ 	gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred);
+ 
+ 	gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push);
+ 	gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull);
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/iksemel.git/commitdiff/f80e5d5b3da930f150a2b5dd5b9cc8bff65d6da0

More information about the pld-cvs-commit mailing list