Changeset 40ac29f in mod_gnutls for src/gnutls_hooks.c


Ignore:
Timestamp:
Jan 11, 2013, 12:55:32 AM (7 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports
Children:
9a9f943
Parents:
3f5c713 (diff), ec06980 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

Merge tag 'upstream/0.4.0'

Upstream version 0.4.0

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_hooks.c

    r3f5c713 r40ac29f  
    125125}
    126126
     127/* We don't support openpgp certificates, yet */
     128const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 };
     129
    127130static int mgs_select_virtual_server_cb( gnutls_session_t session)
    128131{
    129132    mgs_handle_t *ctxt;
    130133    mgs_srvconf_rec *tsc;
     134    int ret;
    131135
    132136    ctxt = gnutls_transport_get_ptr(session);
     
    155159    }
    156160
    157     /* enable the default priorities and override them later on
     161    /* update the priorities - to avoid negotiating a ciphersuite that is not
     162     * enabled on this virtual server. Note that here we ignore the version
     163     * negotiation.
    158164     */
    159     gnutls_set_default_priority( session);
    160 
    161     /* update the priorities - to avoid negotiating a ciphersuite that is not
    162      * enabled on this virtual server
    163      */
    164     if (ctxt->sc->ciphers[0] != 0)
    165       gnutls_cipher_set_priority(session, ctxt->sc->ciphers);
    166     if (ctxt->sc->compression[0] != 0)
    167       gnutls_compression_set_priority(session, ctxt->sc->compression);
    168     if (ctxt->sc->key_exchange[0] != 0)
    169       gnutls_kx_set_priority(session, ctxt->sc->key_exchange);
    170     if (ctxt->sc->macs[0] != 0)
    171       gnutls_mac_set_priority(session, ctxt->sc->macs);
    172     if (ctxt->sc->cert_types[0] != 0)
    173       gnutls_certificate_type_set_priority(session, ctxt->sc->cert_types);
    174 
    175     /* allow separate caches per virtual host. Actually allowing the same is not
    176      * a good idea, especially if they have different security requirements.
     165    ret = gnutls_priority_set( session, ctxt->sc->priorities);
     166    gnutls_certificate_type_set_priority( session, cert_type_prio);
     167   
     168   
     169    /* actually it shouldn't fail since we have checked at startup */
     170    if (ret < 0) return ret;
     171
     172    /* allow separate caches per virtual host. Actually allowing the same is a
     173     * bad idea, since they might have different security requirements.
    177174     */
    178175    mgs_cache_session_init(ctxt);
     
    535532
    536533
    537 
     534static const int protocol_priority[] = {
     535  GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
     536         
    538537
    539538static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c)
     
    565564     */
    566565    gnutls_session_enable_compatibility_mode( ctxt->session);
    567 
    568     gnutls_protocol_set_priority(ctxt->session, sc->protocol);
     566   
     567    /* because we don't set any default priorities here (we set later at
     568     * the user hello callback) we need to at least set this in order for
     569     * gnutls to be able to read packets.
     570     */
     571    gnutls_protocol_set_priority( ctxt->session, protocol_priority);
    569572
    570573    gnutls_handshake_set_post_client_hello_function( ctxt->session, mgs_select_virtual_server_cb);
Note: See TracChangeset for help on using the changeset viewer.