On 2016-02-01 Carsten Schoenert <c.schoen...@t-online.de> wrote:
[...]
> Peter Green has submitted a debdiff with a possibly solution that's seen
> below. I'm not a security expert on those used functions inside libvmime
> and found a another solution based on suggestions for upgrading to 3.4
> [1] and created a patch that's appended.
[...]
Hello,
I am not able to do a code review but:
const char certTypePriority[] = { GNUTLS_CRT_X509, 0 };
const char protoPriority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
const char cipherPriority[] = [list of ciphers]
const char macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0};
Neither of these look very sane or useful to me. The certtype priority
setting matches the GnuTLS default and the other ones explicitely choose
algoritms that do not look like a improvement. (SSLv3, seriously?)
I think dropping these settings and using
gnutls_set_default_priority() would be a much better notion. This way
you would simply rely on the "sane and safe choice" from GnuTLS
instead of trying to reinvent the wheel.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
