This is a great contribution -- thanks Tim! one comment below: On 09/03/2013 05:55 AM, Tim Ruehsen wrote: > diff --git a/src/gnutls.c b/src/gnutls.c > index 0499a25..e76a3cc 100644 > --- a/src/gnutls.c > +++ b/src/gnutls.c > @@ -442,6 +442,13 @@ ssl_connect_wget (int fd, const char *hostname) > case secure_protocol_tlsv1: > err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0", > NULL); > break; > + case secure_protocol_pfs: > +#if defined (GNUTLS_VERSION_NUMBER) && GNUTLS_VERSION_NUMBER >= 0x030204 > + err = gnutls_priority_set_direct (session, "PFS", NULL); > +#else > + err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL); > +#endif > + break; > default: > abort (); > }
The patch above does a compile-time decision about what string to use.
so if the code is compiled against GnuTLS version 3.2.4, it assumes that
"PFS" is a valid priority string.
But since 3.2.4 is SONAME 28, and 3.2.3 (for example) also uses SONAME
28, it seems possible to build against 3.2.4 but link at runtime against
3.2.3, where "PFS" won't be available as a version string.
it might be better to do a runtime check (e.g. using
gnutls_check_version(NULL) >= 0x030204) instead of a compile-time check.
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature
