Bug#803204: libiksemel: GNUTLS settings & ejabberd

Mon, 24 Apr 2017 02:15:45 -0700 

Hello guys
I'm using ejabberd XMPP server, and one fine day, debian has pushed a security update (package 2.1.10-4+deb7u2) that disables all old and insecure TLS/SSL protocols (TLS < 1.2, SSLv3). With that configuration, the patch from Duck was not enough to bring things back working again. So I investigated quite intensively and then finally got it to work by changing the priority string variable to that one: 

SECURE256:-VERS-TLS-ALL:+VERS-TLS1.2:+SIGN-ALL

Explanation of the changes:

* removed "+SECURE192" as that isn't working at least with GnuTLS lib 
version (3.0.22) I've installed (tried with gnutls-cli, has thrown a 
"Syntax error" msg.). To be more precise, "+SECURE192" isn't valid with 
GnuTLS version shipped with Debian Wheezy, and it also seems that only 
one SECURE "preset" flag may be used (another one with +/- won't work).
* added "+SIGN-ALL" that enables every public key signatures (introduced 
with TLS 1.2, and is necessary when using that protocol against ejabberd 
at least)


Find my version of the patch attached...

Regards,
Mike Rhyner

Index: libiksemel-1.2/src/stream.c
===================================================================
--- src/stream.c
+++ src/stream.c
@@ -63,11 +63,7 @@ tls_pull (iksparser *prs, char *buffer,
 static int
 handshake (struct stream_data *data)
 {
-   const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
-   const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
-   const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0};
-   const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
-   const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
+   const char *priority_string = "SECURE256:-VERS-TLS-ALL:+VERS-TLS1.2:+SIGN-ALL";
    int ret;

    if (gnutls_global_init () != 0)
@@ -80,11 +76,7 @@ handshake (struct stream_data *data)
        gnutls_certificate_free_credentials (data->cred);
        return IKS_NOMEM;
    }
-   gnutls_protocol_set_priority (data->sess, protocol_priority);
-   gnutls_cipher_set_priority(data->sess, cipher_priority);
-   gnutls_compression_set_priority(data->sess, comp_priority);
-   gnutls_kx_set_priority(data->sess, kx_priority);
-   gnutls_mac_set_priority(data->sess, mac_priority);
+   gnutls_priority_set_direct(data->sess, priority_string, NULL);
    gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred);

    gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push);














    











					Reply via email to