discomfitor pushed a commit to branch ecore-1.7.
commit 2741742605a0731ee7943e38d7b59a5bca12a36d
Author: Mike Blumenkrantz <[email protected]>
Date: Mon Mar 11 04:54:53 2013 +0000
clean up gnutls session init in ecore-con
---
ChangeLog | 4 ++++
NEWS | 1 +
src/lib/ecore_con/ecore_con_ssl.c | 14 ++++++++------
3 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index a95daf5..eb1d4f5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1104,3 +1104,7 @@
* ecore_wayland: Add ecore_wl_registry_get
* ecore_wayland: Add ecore_wl_globals_get
+
+2013-03-11 Mike Blumenkrantz
+
+ * cleaned up gnutls session init
diff --git a/NEWS b/NEWS
index 197f3a0..0ae7106 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,7 @@ Fixes:
* Fixed memory usage of the internal buffer of Ecore_Con_Server.
* Fix handling of mouse and touch screen in Ecore_Evas_Fb.
* Fix ecore-x edid fetch to ftech 128, not 100 bytes.
+ * cleaned up gnutls session init
Ecore 1.7.5
diff --git a/src/lib/ecore_con/ecore_con_ssl.c
b/src/lib/ecore_con/ecore_con_ssl.c
index 20fafcc..ff35486 100644
--- a/src/lib/ecore_con/ecore_con_ssl.c
+++ b/src/lib/ecore_con/ecore_con_ssl.c
@@ -982,7 +982,7 @@ _ecore_con_ssl_server_init_gnutls(Ecore_Con_Server *svr)
const gnutls_datum_t *cert_list;
unsigned int iter, cert_list_size;
gnutls_x509_crt_t cert = NULL;
- const char *priority =
"NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0";
+ const char *priority = "NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT";
int ret = 0;
switch (svr->ssl_state)
@@ -998,12 +998,12 @@ _ecore_con_ssl_server_init_gnutls(Ecore_Con_Server *svr)
{
case ECORE_CON_USE_SSL3:
case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
- priority =
"NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:!VERS-TLS1.0:!VERS-TLS1.1";
+ priority =
"NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT:!VERS-TLS1.0:!VERS-TLS1.1:!VERS-TLS1.2";
break;
case ECORE_CON_USE_TLS:
case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
- priority =
"NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:!VERS-SSL3.0";
+ priority = "NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT:!VERS-SSL3.0";
break;
case ECORE_CON_USE_MIXED:
@@ -1019,6 +1019,7 @@ _ecore_con_ssl_server_init_gnutls(Ecore_Con_Server *svr)
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_server_name_set(svr->session,
GNUTLS_NAME_DNS, svr->name, strlen(svr->name)));
INF("Applying priority string: %s", priority);
SSL_ERROR_CHECK_GOTO_ERROR(ret =
gnutls_priority_set_direct(svr->session, priority, NULL));
+ gnutls_handshake_set_private_extensions(svr->session, 1);
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_credentials_set(svr->session,
GNUTLS_CRD_CERTIFICATE, svr->cert));
// SSL_ERROR_CHECK_GOTO_ERROR(ret =
gnutls_credentials_set(svr->session, GNUTLS_CRD_PSK, svr->pskcred_c));
if (!svr->use_cert)
@@ -1302,7 +1303,7 @@ _ecore_con_ssl_client_init_gnutls(Ecore_Con_Client *cl)
{
const gnutls_datum_t *cert_list;
unsigned int iter, cert_list_size;
- const char *priority =
"NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0";
+ const char *priority = "NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT";
int ret = 0;
switch (cl->ssl_state)
@@ -1318,12 +1319,12 @@ _ecore_con_ssl_client_init_gnutls(Ecore_Con_Client *cl)
{
case ECORE_CON_USE_SSL3:
case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
- priority =
"NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:!VERS-TLS1.0:!VERS-TLS1.1";
+ priority =
"NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT:!VERS-TLS1.0:!VERS-TLS1.1:!VERS-TLS1.2";
break;
case ECORE_CON_USE_TLS:
case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
- priority =
"NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:!VERS-SSL3.0";
+ priority = "NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT:!VERS-SSL3.0";
break;
case ECORE_CON_USE_MIXED:
@@ -1341,6 +1342,7 @@ _ecore_con_ssl_client_init_gnutls(Ecore_Con_Client *cl)
SSL_ERROR_CHECK_GOTO_ERROR(ret =
gnutls_session_ticket_enable_server(cl->session, &cl->session_ticket));
INF("Applying priority string: %s", priority);
SSL_ERROR_CHECK_GOTO_ERROR(ret =
gnutls_priority_set_direct(cl->session, priority, NULL));
+ gnutls_handshake_set_private_extensions(cl->session, 1);
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_credentials_set(cl->session,
GNUTLS_CRD_CERTIFICATE, cl->host_server->cert));
// SSL_ERROR_CHECK_GOTO_ERROR(ret =
gnutls_credentials_set(cl->session, GNUTLS_CRD_PSK,
cl->host_server->pskcred_s));
if (!cl->host_server->use_cert)
--
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
