guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

02/02: gnu: w3m: Enable SSL, disable broken protocols and ciphers.


From: Leo Famulari
Subject: 02/02: gnu: w3m: Enable SSL, disable broken protocols and ciphers.
Date: Thu, 07 Jan 2016 07:36:06 +0000

lfam pushed a commit to branch master
in repository guix.

commit 62339e2d493bf87a3aabe12e45458581e9705d83
Author: Leo Famulari <address@hidden>
Date:   Tue Jan 5 19:26:25 2016 -0500

    gnu: w3m: Enable SSL, disable broken protocols and ciphers.
    
    Fixes <http://bugs.gnu.org/16791>.
    
    * gnu/packages/patches/w3m-force-ssl_verify_server-on.patch: New file.
    * gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch: New file.
    * gnu/packages/patches/w3m-disable-weak-ciphers.patch: New file.
    * gnu/packages/w3m.scm (w3m)[source]: Add patches.
    * gnu-system.am (dist_patch_DATA): Add the new files.
---
 gnu-system.am                                      |    3 ++
 .../patches/w3m-disable-sslv2-and-sslv3.patch      |   24 ++++++++++++++++++++
 .../patches/w3m-disable-weak-ciphers.patch         |   24 ++++++++++++++++++++
 .../patches/w3m-force-ssl_verify_server-on.patch   |   24 ++++++++++++++++++++
 gnu/packages/w3m.scm                               |    5 +++-
 5 files changed, 79 insertions(+), 1 deletions(-)

diff --git a/gnu-system.am b/gnu-system.am
index bed041a..7c4112a 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -699,6 +699,9 @@ dist_patch_DATA =                                           
\
   gnu/packages/patches/vpnc-script.patch                       \
   gnu/packages/patches/vtk-mesa-10.patch                       \
   gnu/packages/patches/w3m-libgc.patch                         \
+  gnu/packages/patches/w3m-force-ssl_verify_server-on.patch    \
+  gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch       \
+  gnu/packages/patches/w3m-disable-weak-ciphers.patch          \
   gnu/packages/patches/webkitgtk-2.4-sql-init-string.patch     \
   gnu/packages/patches/weechat-python.patch                    \
   gnu/packages/patches/weex-vacopy.patch                       \
diff --git a/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch 
b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
new file mode 100644
index 0000000..5b78f2d
--- /dev/null
+++ b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
@@ -0,0 +1,24 @@
+Subject: Disable SSLv2 and SSLv3.
+
+The only remaining methods are TLSv1.* (the code never distinguishes
+between TLSv1.0, TLSv1.1, and TLSv1.2).
+---
+ fm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fm.h b/fm.h
+index 320906c..ddcd4fc 100644
+--- a/fm.h
++++ b/fm.h
+@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE);
+ #endif                                /* defined(USE_SSL) &&
+                                * defined(USE_SSL_VERIFY) */
+ #ifdef USE_SSL
+-global char *ssl_forbid_method init(NULL);
++global char *ssl_forbid_method init("2, 3");
+ #endif
+ 
+ global int is_redisplay init(FALSE);
+-- 
+2.6.4
+
diff --git a/gnu/packages/patches/w3m-disable-weak-ciphers.patch 
b/gnu/packages/patches/w3m-disable-weak-ciphers.patch
new file mode 100644
index 0000000..4780d54
--- /dev/null
+++ b/gnu/packages/patches/w3m-disable-weak-ciphers.patch
@@ -0,0 +1,24 @@
+Subject: Disable weak ciphers
+
+Disable RC4, "export ciphers", and all keys < 128 bits.
+
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/w3m/+bug/1325674
+---
+ url.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/url.c b/url.c
+index ed6062e..e86b1f3 100644
+--- a/url.c
++++ b/url.c
+@@ -326,6 +326,7 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
+       SSL_load_error_strings();
+       if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method())))
+           goto eend;
++      SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP");
+       option = SSL_OP_ALL;
+       if (ssl_forbid_method) {
+           if (strchr(ssl_forbid_method, '2'))
+-- 
+2.6.4
+
diff --git a/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch 
b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
new file mode 100644
index 0000000..dc9f117
--- /dev/null
+++ b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
@@ -0,0 +1,24 @@
+Subject: Force ssl_verify_server on.
+
+By default, SSL/TLS certificates are not verified. This enables the
+verification.
+---
+ fm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fm.h b/fm.h
+index 8378939..320906c 100644
+--- a/fm.h
++++ b/fm.h
+@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE);
+ #endif
+ 
+ #if defined(USE_SSL) && defined(USE_SSL_VERIFY)
+-global int ssl_verify_server init(FALSE);
++global int ssl_verify_server init(TRUE);
+ global char *ssl_cert_file init(NULL);
+ global char *ssl_key_file init(NULL);
+ global char *ssl_ca_path init(NULL);
+-- 
+2.6.4
+
diff --git a/gnu/packages/w3m.scm b/gnu/packages/w3m.scm
index 113bfc4..45c9375 100644
--- a/gnu/packages/w3m.scm
+++ b/gnu/packages/w3m.scm
@@ -44,7 +44,10 @@
                "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579"))
 
              ;; cf. https://bugs.archlinux.org/task/33397
-             (patches (list (search-patch "w3m-libgc.patch")))))
+             (patches (list (search-patch "w3m-libgc.patch")
+                            (search-patch 
"w3m-force-ssl_verify_server-on.patch")
+                            (search-patch "w3m-disable-sslv2-and-sslv3.patch")
+                            (search-patch "w3m-disable-weak-ciphers.patch")))))
     (build-system gnu-build-system)
     (arguments `(#:tests? #f  ; no check target
                  #:phases (alist-cons-before



reply via email to

[Prev in Thread] Current Thread [Next in Thread]