Hi, While debugging some issue in Fedora [0] I've realized that wget calls the gnutls priority functions multiple times, and that confuses gnutls on certain cases. In src/gnutls.c wget calls gnutls_set_default_priority (session) which sets the default cipher priorities according to the system policy. However, at the following lines it overwrites that policy in the switch (opt.secure_protocol).
In particular, when no options are given it enters: ``` case secure_protocol_auto: err = gnutls_priority_set_direct (session, "NORMAL:%COMPAT:-VERS-SSL3.0", NULL); ``` That means that the default policy set above is overwritten. A possible fix is attached. That ensures that the priorities are set only once and that the default priorities are used when no options are specified (the latter is important for Fedora which ensures that gnutls_set_default_priority() sets a priority string according to the system-wide policies. The use of keyword %COMPAT is replaced by calling gnutls_session_enable_compatibility_mode(). regards, Nikos [0]. https://bugzilla.redhat.com/show_bug.cgi?id=1405959
From 0e5fb3c21506604e5470814a94c2e593f8f82aac Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos <[email protected]> Date: Mon, 19 Dec 2016 15:55:24 +0100 Subject: [PATCH] Avoid calling the gnutls priority functions multiple times That behavior may have unintended side-effects in certain gnutls versions. Instead use the default priorities when no options are given. Signed-off-by: Nikos Mavrogiannopoulos <[email protected]> --- src/gnutls.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/gnutls.c b/src/gnutls.c index 63c7c33..0102202 100644 --- a/src/gnutls.c +++ b/src/gnutls.c @@ -556,7 +556,6 @@ ssl_connect_wget (int fd, const char *hostname, int *continue_session) xfree(sni_hostname); } - gnutls_set_default_priority (session); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, credentials); #ifndef FD_TO_SOCKET # define FD_TO_SOCKET(X) (X) @@ -571,7 +570,8 @@ ssl_connect_wget (int fd, const char *hostname, int *continue_session) switch (opt.secure_protocol) { case secure_protocol_auto: - err = gnutls_priority_set_direct (session, "NORMAL:%COMPAT:-VERS-SSL3.0", NULL); + err = gnutls_set_default_priority (session); + gnutls_session_enable_compatibility_mode(session); break; case secure_protocol_sslv2: @@ -608,6 +608,7 @@ ssl_connect_wget (int fd, const char *hostname, int *continue_session) switch (opt.secure_protocol) { case secure_protocol_auto: + err = gnutls_set_default_priority (session); break; case secure_protocol_sslv2: -- 2.10.1
