Changeset ec06980 in mod_gnutls for src/gnutls_hooks.c


Ignore:
Timestamp:
Jan 11, 2013, 12:55:31 AM (8 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, upstream
Children:
40ac29f, a4839ae
Parents:
70c2d86
Message:

Imported Upstream version 0.4.0

File:
1 edited

Legend:

Unmodified
Added
Removed

  • src/gnutls_hooks.c

    r70c2d86 rec06980  
    125125}
    126126
     127/* We don't support openpgp certificates, yet */
     128const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 };
     129
    127130static int mgs_select_virtual_server_cb( gnutls_session_t session)
    128131{
    129132    mgs_handle_t *ctxt;
    130133    mgs_srvconf_rec *tsc;
     134    int ret;
    131135
    132136    ctxt = gnutls_transport_get_ptr(session);
     
    155159    }
    156160
    157     /* enable the default priorities and override them later on
     161    /* update the priorities - to avoid negotiating a ciphersuite that is not
     162     * enabled on this virtual server. Note that here we ignore the version
     163     * negotiation.
    158164     */
    159     gnutls_set_default_priority( session);
    160 
    161     /* update the priorities - to avoid negotiating a ciphersuite that is not
    162      * enabled on this virtual server
    163      */
    164     if (ctxt->sc->ciphers[0] != 0)
    165       gnutls_cipher_set_priority(session, ctxt->sc->ciphers);
    166     if (ctxt->sc->compression[0] != 0)
    167       gnutls_compression_set_priority(session, ctxt->sc->compression);
    168     if (ctxt->sc->key_exchange[0] != 0)
    169       gnutls_kx_set_priority(session, ctxt->sc->key_exchange);
    170     if (ctxt->sc->macs[0] != 0)
    171       gnutls_mac_set_priority(session, ctxt->sc->macs);
    172     if (ctxt->sc->cert_types[0] != 0)
    173       gnutls_certificate_type_set_priority(session, ctxt->sc->cert_types);
    174 
    175     /* allow separate caches per virtual host. Actually allowing the same is not
    176      * a good idea, especially if they have different security requirements.
     165    ret = gnutls_priority_set( session, ctxt->sc->priorities);
     166    gnutls_certificate_type_set_priority( session, cert_type_prio);
     167   
     168   
     169    /* actually it shouldn't fail since we have checked at startup */
     170    if (ret < 0) return ret;
     171
     172    /* allow separate caches per virtual host. Actually allowing the same is a
     173     * bad idea, since they might have different security requirements.
    177174     */
    178175    mgs_cache_session_init(ctxt);
     
    535532
    536533
    537 
     534static const int protocol_priority[] = {
     535  GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
     536         
    538537
    539538static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c)
     
    565564     */
    566565    gnutls_session_enable_compatibility_mode( ctxt->session);
    567 
    568     gnutls_protocol_set_priority(ctxt->session, sc->protocol);
     566   
     567    /* because we don't set any default priorities here (we set later at
     568     * the user hello callback) we need to at least set this in order for
     569     * gnutls to be able to read packets.
     570     */
     571    gnutls_protocol_set_priority( ctxt->session, protocol_priority);
    569572
    570573    gnutls_handshake_set_post_client_hello_function( ctxt->session, mgs_select_virtual_server_cb);
Note: See TracChangeset for help on using the changeset viewer.