Re: [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers.

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers.

From:	Leo Famulari
Subject:	Re: [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers.
Date:	Tue, 5 Jan 2016 21:05:24 -0500
User-agent:	Mutt/1.5.24 (2015-08-30)

On Tue, Jan 05, 2016 at 08:49:12PM -0500, Leo Famulari wrote:
> On Tue, Jan 05, 2016 at 08:11:12PM -0500, Leo Famulari wrote:
> > * gnu/packages/patches/w3m-force-ssl_verify_server-on.patch: New file.
> > * gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch: New file.
> > * gnu/packages/patches/w3m-disable-weak-ciphers.patch: New file.
> > * gnu/packages/w3m.scm (w3m)[source]: Add patches.
> > * gnu-system.am (dist_patch_DATA): Add the new files.
> > ---
> >  gnu-system.am                                      |  3 +++
> >  .../patches/w3m-disable-sslv2-and-sslv3.patch      | 26 
> > +++++++++++++++++++++
> >  .../patches/w3m-disable-weak-ciphers.patch         | 27 
> > ++++++++++++++++++++++
> >  .../patches/w3m-force-ssl_verify_server-on.patch   | 27 
> > ++++++++++++++++++++++
> >  gnu/packages/w3m.scm                               |  5 +++-
> >  5 files changed, 87 insertions(+), 1 deletion(-)
> >  create mode 100644 gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
> >  create mode 100644 gnu/packages/patches/w3m-disable-weak-ciphers.patch
> >  create mode 100644 
> > gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
> > 
> > diff --git a/gnu-system.am b/gnu-system.am
> > index 3dd49fe..ea1dfda 100644
> > --- a/gnu-system.am
> > +++ b/gnu-system.am
> > @@ -699,6 +699,9 @@ dist_patch_DATA =                                       
> >         \
> >    gnu/packages/patches/vpnc-script.patch                   \
> >    gnu/packages/patches/vtk-mesa-10.patch                   \
> >    gnu/packages/patches/w3m-fix-compile.patch                       \
> > +  gnu/packages/patches/w3m-force-ssl_verify_server-on.patch        \
> > +  gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch   \
> > +  gnu/packages/patches/w3m-disable-weak-ciphers.patch              \
> >    gnu/packages/patches/webkitgtk-2.4-sql-init-string.patch \
> >    gnu/packages/patches/weechat-python.patch                        \
> >    gnu/packages/patches/weex-vacopy.patch                   \
> > diff --git a/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch 
> > b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
> > new file mode 100644
> > index 0000000..66989b4
> > --- /dev/null
> > +++ b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
> > @@ -0,0 +1,26 @@
> > +From cd63b1a4d70de7023ebebd0d69d99944def66340 Mon Sep 17 00:00:00 2001
> > +From: Leo Famulari <address@hidden>
> > +Date: Tue, 5 Jan 2016 17:15:33 -0500
> > +Subject: [PATCH 3/4] Disable SSLv2 and SSLv3.
> > +
> > +The only remaining methods are TLS FIXME which
> 
> Oops, I forgot to fill this out.

Updated patch set sent as v3.

> 
> > +---
> > + fm.h | 2 +-
> > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > +
> > +diff --git a/fm.h b/fm.h
> > +index 320906c..ddcd4fc 100644
> > +--- a/fm.h
> > ++++ b/fm.h
> > +@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE);
> > + #endif                            /* defined(USE_SSL) &&
> > +                            * defined(USE_SSL_VERIFY) */
> > + #ifdef USE_SSL
> > +-global char *ssl_forbid_method init(NULL);
> > ++global char *ssl_forbid_method init("2, 3");
> > + #endif
> > + 
> > + global int is_redisplay init(FALSE);
> > +-- 
> > +2.6.4
> > +
> > diff --git a/gnu/packages/patches/w3m-disable-weak-ciphers.patch 
> > b/gnu/packages/patches/w3m-disable-weak-ciphers.patch
> > new file mode 100644
> > index 0000000..4a739ee
> > --- /dev/null
> > +++ b/gnu/packages/patches/w3m-disable-weak-ciphers.patch
> > @@ -0,0 +1,27 @@
> > +From f29e8344b3dbc95971edfca090e991c413990ba1 Mon Sep 17 00:00:00 2001
> > +From: Leo Famulari <address@hidden>
> > +Date: Tue, 5 Jan 2016 18:24:33 -0500
> > +Subject: [PATCH 4/4] Disable weak ciphers
> > +
> > +Disable RC4, "export ciphers", and all keys < 128 bits.
> > +
> > +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/w3m/+bug/1325674
> > +---
> > + url.c | 1 +
> > + 1 file changed, 1 insertion(+)
> > +
> > +diff --git a/url.c b/url.c
> > +index ed6062e..e86b1f3 100644
> > +--- a/url.c
> > ++++ b/url.c
> > +@@ -326,6 +326,7 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
> > +   SSL_load_error_strings();
> > +   if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method())))
> > +       goto eend;
> > ++  SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP");
> > +   option = SSL_OP_ALL;
> > +   if (ssl_forbid_method) {
> > +       if (strchr(ssl_forbid_method, '2'))
> > +-- 
> > +2.6.4
> > +
> > diff --git a/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch 
> > b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
> > new file mode 100644
> > index 0000000..726c548
> > --- /dev/null
> > +++ b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
> > @@ -0,0 +1,27 @@
> > +From 760bfc04b5b86441d13c77e0306e315907544b64 Mon Sep 17 00:00:00 2001
> > +From: Leo Famulari <address@hidden>
> > +Date: Tue, 5 Jan 2016 17:15:18 -0500
> > +Subject: [PATCH 2/4] Force ssl_verify_server on.
> > +
> > +By default, SSL/TLS certificates are not verified. This enables the
> > +verification.
> > +---
> > + fm.h | 2 +-
> > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > +
> > +diff --git a/fm.h b/fm.h
> > +index 8378939..320906c 100644
> > +--- a/fm.h
> > ++++ b/fm.h
> > +@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE);
> > + #endif
> > + 
> > + #if defined(USE_SSL) && defined(USE_SSL_VERIFY)
> > +-global int ssl_verify_server init(FALSE);
> > ++global int ssl_verify_server init(TRUE);
> > + global char *ssl_cert_file init(NULL);
> > + global char *ssl_key_file init(NULL);
> > + global char *ssl_ca_path init(NULL);
> > +-- 
> > +2.6.4
> > +
> > diff --git a/gnu/packages/w3m.scm b/gnu/packages/w3m.scm
> > index 627447b..36e11a6 100644
> > --- a/gnu/packages/w3m.scm
> > +++ b/gnu/packages/w3m.scm
> > @@ -44,7 +44,10 @@
> >                 "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579"))
> >  
> >               ;; cf. https://bugs.archlinux.org/task/33397
> > -             (patches (list (search-patch "w3m-fix-compile.patch")))
> > +             (patches (list (search-patch "w3m-fix-compile.patch")
> > +                            (search-patch 
> > "w3m-force-ssl_verify_server-on.patch")
> > +                            (search-patch 
> > "w3m-disable-sslv2-and-sslv3.patch")
> > +                            (search-patch 
> > "w3m-disable-weak-ciphers.patch")))))
> >      (build-system gnu-build-system)
> >      (arguments `(#:tests? #f  ; no check target
> >                   #:phases (alist-cons-before
> > -- 
> > 2.6.4
> > 
> > 
>

[Prev in Thread]

Current Thread

[Next in Thread]

[v2 0/2] w3m: Enable SSL / TLS., Leo Famulari, 2016/01/05
- [v2 1/2] gnu: w3m: Update patch to use '-p1'., Leo Famulari, 2016/01/05
- [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers., Leo Famulari, 2016/01/05
  - Re: [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers., Leo Famulari, 2016/01/05
    - Re: [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers., Leo Famulari <=

Prev by Date: [v3 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers.
Next by Date: Re: Getting rid of build tools
Previous by thread: Re: [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers.
Next by thread: [v3 1/2] gnu: w3m: Update patch to use '-p1'.
Index(es):
- Date
- Thread