[Commits] [SCM] claws branch, master, updated. 3.14.0-59-gb130471
ticho at claws-mail.org
ticho at claws-mail.org
Fri Sep 2 11:30:11 CEST 2016
The branch, master has been updated
via b130471c6066581ae882fa049603e2e3567585c7 (commit)
from 49e55fb57409d81e8091c881cf47deb23777a423 (commit)
Summary of changes:
src/common/ssl.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
- Log -----------------------------------------------------------------
commit b130471c6066581ae882fa049603e2e3567585c7
Author: Andrej Kacian <ticho at claws-mail.org>
Date: Fri Sep 2 11:22:50 2016 +0200
Be more strict about minimum DH prime size for TLS connections.
Since GnuTLS 3.1.7, this minimum size is dictated by the
priority string, and current (GnuTLS 3.3.0) "safe-enough"
value is 1008 bits. We set this minimum size explicitly
for older GnuTLS versions.
Users who are affected by this (their servers use DH prime
smaller than 1008 bits can override this by using priority
string starting with the keyword "LEGACY". This keyword
only works with GnuTLS 3.3.0 or newer, however.
diff --git a/src/common/ssl.c b/src/common/ssl.c
index bc8ab7d..6649878 100644
--- a/src/common/ssl.c
+++ b/src/common/ssl.c
@@ -364,7 +364,12 @@ gboolean ssl_init_socket(SockInfo *sockinfo)
gnutls_certificate_set_retrieve_function(xcred, gnutls_cert_cb);
#endif
- gnutls_dh_set_prime_bits(session, 512);
+#if GNUTLS_VERSION_NUMBER < 0x030107
+ /* Starting from GnuTLS 3.1.7, minimal size of the DH prime is
+ * set by the priority string. By default ("NORMAL"), it is 1008
+ * as of GnuTLS 3.3.0. */
+ gnutls_dh_set_prime_bits(session, 1008);
+#endif
if ((r = SSL_connect_nb(session)) < 0) {
g_warning("SSL connection failed (%s)", gnutls_strerror(r));
-----------------------------------------------------------------------
hooks/post-receive
--
Claws Mail
More information about the Commits
mailing list