From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ricardo Wurmus <rekado@elephly.net>
Subject: bug#34102: [staging] Guix fails to download from TLSv1.3-enabled
	servers
Date: Fri, 25 Jan 2019 15:04:51 +0100
Message-ID: <87r2d0vnng.fsf@elephly.net>
References: <875zuoiv6s.fsf@fastmail.com> <87sgxgq2cy.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([209.51.188.92]:54043)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gn28O-0000Hs-P4
	for bug-guix@gnu.org; Fri, 25 Jan 2019 09:07:05 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gn28N-0003z1-Sl
	for bug-guix@gnu.org; Fri, 25 Jan 2019 09:07:04 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:45377)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1gn28M-0003xE-1m
	for bug-guix@gnu.org; Fri, 25 Jan 2019 09:07:02 -0500
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.34102.B34102.15484252089286@debbugs.gnu.org>
In-reply-to: <87sgxgq2cy.fsf@gnu.org>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 34102@debbugs.gnu.org


Ludovic Court=C3=A8s <ludo@gnu.org> writes:

>> This is an obvious merge blocker, help wanted!  Disabling TLS1.3 in the
>> priority string works as a last-resort workaround.
>
> Yes, that=E2=80=99s a stop-gap measure we should probably apply for now:
>
> diff --git a/guix/build/download.scm b/guix/build/download.scm
> index c08221b3b2..23c9a4d466 100644
> --- a/guix/build/download.scm
> +++ b/guix/build/download.scm
> @@ -268,7 +268,10 @@ host name without trailing dot."
>      ;; "(gnutls) Priority Strings"); see <http://bugs.gnu.org/23311>.
>      ;; Explicitly disable SSLv3, which is insecure:
>      ;; <https://tools.ietf.org/html/rfc7568>.
> -    (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0")
> +    ;;
> +    ;; FIXME: Since we currently fail to handle TLS 1.3, remove it; see
> +    ;; <https://bugs.gnu.org/34102>.
> +    (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0:-VERS-=
TLS1.3")
>=20=20
>      (set-session-credentials! session
>                                (if (and verify-certificate? ca-certs)
>
> Any objections?

I think it=E2=80=99s fine to do this to allow us to merge the staging branch
before fixing the problem in the Guile bindings.

--=20
Ricardo