download: Ask not to use TLS 1.3.

Works around <https://bugs.gnu.org/34102>.
Reported by Marius Bakke <mbakke@fastmail.com>.

* guix/build/download.scm (tls-wrap): Add "-VERS-TLS1.3" to the priority
string when (gnutls-version) is not prefixed by "3.5".
This commit is contained in:
Ludovic Courtès 2019-01-26 23:14:12 +01:00
parent a64676e088
commit e4ee842026
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5

View file

@ -157,7 +157,8 @@ (define* (ftp-fetch uri file #:key timeout print-build-trace?)
;; XXX: Use this hack instead of #:autoload to avoid compilation errors. ;; XXX: Use this hack instead of #:autoload to avoid compilation errors.
;; See <http://bugs.gnu.org/12202>. ;; See <http://bugs.gnu.org/12202>.
(module-autoload! (current-module) (module-autoload! (current-module)
'(gnutls) '(make-session connection-end/client)) '(gnutls)
'(gnutls-version make-session connection-end/client))
(define %tls-ports (define %tls-ports
;; Mapping of session record ports to the underlying file port. ;; Mapping of session record ports to the underlying file port.
@ -268,7 +269,18 @@ (define (log level str)
;; "(gnutls) Priority Strings"); see <http://bugs.gnu.org/23311>. ;; "(gnutls) Priority Strings"); see <http://bugs.gnu.org/23311>.
;; Explicitly disable SSLv3, which is insecure: ;; Explicitly disable SSLv3, which is insecure:
;; <https://tools.ietf.org/html/rfc7568>. ;; <https://tools.ietf.org/html/rfc7568>.
(set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0") ;;
;; FIXME: Since we currently fail to handle TLS 1.3 (with GnuTLS 3.6.5),
;; remove it; see <https://bugs.gnu.org/34102>.
(set-session-priorities! session
(string-append
"NORMAL:%COMPAT:-VERS-SSL3.0"
;; The "VERS-TLS1.3" priority string is not
;; supported by GnuTLS 3.5.
(if (string-prefix? "3.5." (gnutls-version))
""
":-VERS-TLS1.3")))
(set-session-credentials! session (set-session-credentials! session
(if (and verify-certificate? ca-certs) (if (and verify-certificate? ca-certs)