* [v2 0/2] w3m: Enable SSL / TLS. @ 2016-01-06 1:11 Leo Famulari 2016-01-06 1:11 ` [v2 1/2] gnu: w3m: Update patch to use '-p1' Leo Famulari 2016-01-06 1:11 ` [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers Leo Famulari 0 siblings, 2 replies; 5+ messages in thread From: Leo Famulari @ 2016-01-06 1:11 UTC (permalink / raw) To: guix-devel Here is another take on bug#16791. This updates an existing patch to work with `patch -p1` and then applies patches that enable SSL / TLS verification and disable broken SSL protocols and ciphers. Thoughts? Leo Famulari (2): gnu: w3m: Update patch to use '-p1'. gnu: w3m: Enable SSL, disable broken protocols and ciphers. gnu-system.am | 3 +++ .../patches/w3m-disable-sslv2-and-sslv3.patch | 26 +++++++++++++++++++++ .../patches/w3m-disable-weak-ciphers.patch | 27 ++++++++++++++++++++++ gnu/packages/patches/w3m-fix-compile.patch | 24 ++++++++++++++----- .../patches/w3m-force-ssl_verify_server-on.patch | 27 ++++++++++++++++++++++ gnu/packages/w3m.scm | 7 ++++-- 6 files changed, 106 insertions(+), 8 deletions(-) create mode 100644 gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch create mode 100644 gnu/packages/patches/w3m-disable-weak-ciphers.patch create mode 100644 gnu/packages/patches/w3m-force-ssl_verify_server-on.patch -- 2.6.4 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [v2 1/2] gnu: w3m: Update patch to use '-p1'. 2016-01-06 1:11 [v2 0/2] w3m: Enable SSL / TLS Leo Famulari @ 2016-01-06 1:11 ` Leo Famulari 2016-01-06 1:11 ` [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers Leo Famulari 1 sibling, 0 replies; 5+ messages in thread From: Leo Famulari @ 2016-01-06 1:11 UTC (permalink / raw) To: guix-devel * gnu/packages/patches/w3m-fix-compile.patch: Update to work with -p1. * gnu/packages/w3m.scm (w3m): Drop patch flag -p0. --- gnu/packages/patches/w3m-fix-compile.patch | 24 ++++++++++++++++++------ gnu/packages/w3m.scm | 2 +- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/gnu/packages/patches/w3m-fix-compile.patch b/gnu/packages/patches/w3m-fix-compile.patch index 5604052..33e7486 100644 --- a/gnu/packages/patches/w3m-fix-compile.patch +++ b/gnu/packages/patches/w3m-fix-compile.patch @@ -1,15 +1,27 @@ +From 371f256f5f300b01be228a6fd95884ea475965fc Mon Sep 17 00:00:00 2001 +From: Leo Famulari <leo@famulari.name> +Date: Tue, 5 Jan 2016 16:57:29 -0500 +Subject: [PATCH 1/4] fix compile + https://bugs.archlinux.org/task/33397 +--- + main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) -diff -aur old/main.c new/main.c ---- main.c 2013-01-14 18:16:14.216210053 -0600 -+++ main.c 2013-01-14 18:17:28.816220559 -0600 -@@ -833,7 +833,8 @@ +diff --git a/main.c b/main.c +index b421943..249eb1a 100644 +--- a/main.c ++++ b/main.c +@@ -833,7 +833,8 @@ main(int argc, char **argv, char **envp) mySignal(SIGPIPE, SigPipe); #endif - + - orig_GC_warn_proc = GC_set_warn_proc(wrap_GC_warn_proc); + orig_GC_warn_proc = GC_get_warn_proc(); + GC_set_warn_proc(wrap_GC_warn_proc); err_msg = Strnew(); if (load_argc == 0) { - /* no URL specified */ + /* no URL specified */ +-- +2.6.4 + diff --git a/gnu/packages/w3m.scm b/gnu/packages/w3m.scm index d114d0a..627447b 100644 --- a/gnu/packages/w3m.scm +++ b/gnu/packages/w3m.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org> +;;; Copyright © 2016 Leo Famulari <leo@famulari.name> ;;; ;;; This file is part of GNU Guix. ;;; @@ -44,7 +45,6 @@ ;; cf. https://bugs.archlinux.org/task/33397 (patches (list (search-patch "w3m-fix-compile.patch"))) - (patch-flags '("-p0")))) (build-system gnu-build-system) (arguments `(#:tests? #f ; no check target #:phases (alist-cons-before -- 2.6.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers. 2016-01-06 1:11 [v2 0/2] w3m: Enable SSL / TLS Leo Famulari 2016-01-06 1:11 ` [v2 1/2] gnu: w3m: Update patch to use '-p1' Leo Famulari @ 2016-01-06 1:11 ` Leo Famulari 2016-01-06 1:49 ` Leo Famulari 1 sibling, 1 reply; 5+ messages in thread From: Leo Famulari @ 2016-01-06 1:11 UTC (permalink / raw) To: guix-devel * gnu/packages/patches/w3m-force-ssl_verify_server-on.patch: New file. * gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch: New file. * gnu/packages/patches/w3m-disable-weak-ciphers.patch: New file. * gnu/packages/w3m.scm (w3m)[source]: Add patches. * gnu-system.am (dist_patch_DATA): Add the new files. --- gnu-system.am | 3 +++ .../patches/w3m-disable-sslv2-and-sslv3.patch | 26 +++++++++++++++++++++ .../patches/w3m-disable-weak-ciphers.patch | 27 ++++++++++++++++++++++ .../patches/w3m-force-ssl_verify_server-on.patch | 27 ++++++++++++++++++++++ gnu/packages/w3m.scm | 5 +++- 5 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch create mode 100644 gnu/packages/patches/w3m-disable-weak-ciphers.patch create mode 100644 gnu/packages/patches/w3m-force-ssl_verify_server-on.patch diff --git a/gnu-system.am b/gnu-system.am index 3dd49fe..ea1dfda 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -699,6 +699,9 @@ dist_patch_DATA = \ gnu/packages/patches/vpnc-script.patch \ gnu/packages/patches/vtk-mesa-10.patch \ gnu/packages/patches/w3m-fix-compile.patch \ + gnu/packages/patches/w3m-force-ssl_verify_server-on.patch \ + gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch \ + gnu/packages/patches/w3m-disable-weak-ciphers.patch \ gnu/packages/patches/webkitgtk-2.4-sql-init-string.patch \ gnu/packages/patches/weechat-python.patch \ gnu/packages/patches/weex-vacopy.patch \ diff --git a/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch new file mode 100644 index 0000000..66989b4 --- /dev/null +++ b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch @@ -0,0 +1,26 @@ +From cd63b1a4d70de7023ebebd0d69d99944def66340 Mon Sep 17 00:00:00 2001 +From: Leo Famulari <leo@famulari.name> +Date: Tue, 5 Jan 2016 17:15:33 -0500 +Subject: [PATCH 3/4] Disable SSLv2 and SSLv3. + +The only remaining methods are TLS FIXME which +--- + fm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fm.h b/fm.h +index 320906c..ddcd4fc 100644 +--- a/fm.h ++++ b/fm.h +@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE); + #endif /* defined(USE_SSL) && + * defined(USE_SSL_VERIFY) */ + #ifdef USE_SSL +-global char *ssl_forbid_method init(NULL); ++global char *ssl_forbid_method init("2, 3"); + #endif + + global int is_redisplay init(FALSE); +-- +2.6.4 + diff --git a/gnu/packages/patches/w3m-disable-weak-ciphers.patch b/gnu/packages/patches/w3m-disable-weak-ciphers.patch new file mode 100644 index 0000000..4a739ee --- /dev/null +++ b/gnu/packages/patches/w3m-disable-weak-ciphers.patch @@ -0,0 +1,27 @@ +From f29e8344b3dbc95971edfca090e991c413990ba1 Mon Sep 17 00:00:00 2001 +From: Leo Famulari <leo@famulari.name> +Date: Tue, 5 Jan 2016 18:24:33 -0500 +Subject: [PATCH 4/4] Disable weak ciphers + +Disable RC4, "export ciphers", and all keys < 128 bits. + +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/w3m/+bug/1325674 +--- + url.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/url.c b/url.c +index ed6062e..e86b1f3 100644 +--- a/url.c ++++ b/url.c +@@ -326,6 +326,7 @@ openSSLHandle(int sock, char *hostname, char **p_cert) + SSL_load_error_strings(); + if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method()))) + goto eend; ++ SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP"); + option = SSL_OP_ALL; + if (ssl_forbid_method) { + if (strchr(ssl_forbid_method, '2')) +-- +2.6.4 + diff --git a/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch new file mode 100644 index 0000000..726c548 --- /dev/null +++ b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch @@ -0,0 +1,27 @@ +From 760bfc04b5b86441d13c77e0306e315907544b64 Mon Sep 17 00:00:00 2001 +From: Leo Famulari <leo@famulari.name> +Date: Tue, 5 Jan 2016 17:15:18 -0500 +Subject: [PATCH 2/4] Force ssl_verify_server on. + +By default, SSL/TLS certificates are not verified. This enables the +verification. +--- + fm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fm.h b/fm.h +index 8378939..320906c 100644 +--- a/fm.h ++++ b/fm.h +@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE); + #endif + + #if defined(USE_SSL) && defined(USE_SSL_VERIFY) +-global int ssl_verify_server init(FALSE); ++global int ssl_verify_server init(TRUE); + global char *ssl_cert_file init(NULL); + global char *ssl_key_file init(NULL); + global char *ssl_ca_path init(NULL); +-- +2.6.4 + diff --git a/gnu/packages/w3m.scm b/gnu/packages/w3m.scm index 627447b..36e11a6 100644 --- a/gnu/packages/w3m.scm +++ b/gnu/packages/w3m.scm @@ -44,7 +44,10 @@ "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579")) ;; cf. https://bugs.archlinux.org/task/33397 - (patches (list (search-patch "w3m-fix-compile.patch"))) + (patches (list (search-patch "w3m-fix-compile.patch") + (search-patch "w3m-force-ssl_verify_server-on.patch") + (search-patch "w3m-disable-sslv2-and-sslv3.patch") + (search-patch "w3m-disable-weak-ciphers.patch"))))) (build-system gnu-build-system) (arguments `(#:tests? #f ; no check target #:phases (alist-cons-before -- 2.6.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers. 2016-01-06 1:11 ` [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers Leo Famulari @ 2016-01-06 1:49 ` Leo Famulari 2016-01-06 2:05 ` Leo Famulari 0 siblings, 1 reply; 5+ messages in thread From: Leo Famulari @ 2016-01-06 1:49 UTC (permalink / raw) To: guix-devel On Tue, Jan 05, 2016 at 08:11:12PM -0500, Leo Famulari wrote: > * gnu/packages/patches/w3m-force-ssl_verify_server-on.patch: New file. > * gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch: New file. > * gnu/packages/patches/w3m-disable-weak-ciphers.patch: New file. > * gnu/packages/w3m.scm (w3m)[source]: Add patches. > * gnu-system.am (dist_patch_DATA): Add the new files. > --- > gnu-system.am | 3 +++ > .../patches/w3m-disable-sslv2-and-sslv3.patch | 26 +++++++++++++++++++++ > .../patches/w3m-disable-weak-ciphers.patch | 27 ++++++++++++++++++++++ > .../patches/w3m-force-ssl_verify_server-on.patch | 27 ++++++++++++++++++++++ > gnu/packages/w3m.scm | 5 +++- > 5 files changed, 87 insertions(+), 1 deletion(-) > create mode 100644 gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch > create mode 100644 gnu/packages/patches/w3m-disable-weak-ciphers.patch > create mode 100644 gnu/packages/patches/w3m-force-ssl_verify_server-on.patch > > diff --git a/gnu-system.am b/gnu-system.am > index 3dd49fe..ea1dfda 100644 > --- a/gnu-system.am > +++ b/gnu-system.am > @@ -699,6 +699,9 @@ dist_patch_DATA = \ > gnu/packages/patches/vpnc-script.patch \ > gnu/packages/patches/vtk-mesa-10.patch \ > gnu/packages/patches/w3m-fix-compile.patch \ > + gnu/packages/patches/w3m-force-ssl_verify_server-on.patch \ > + gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch \ > + gnu/packages/patches/w3m-disable-weak-ciphers.patch \ > gnu/packages/patches/webkitgtk-2.4-sql-init-string.patch \ > gnu/packages/patches/weechat-python.patch \ > gnu/packages/patches/weex-vacopy.patch \ > diff --git a/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch > new file mode 100644 > index 0000000..66989b4 > --- /dev/null > +++ b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch > @@ -0,0 +1,26 @@ > +From cd63b1a4d70de7023ebebd0d69d99944def66340 Mon Sep 17 00:00:00 2001 > +From: Leo Famulari <leo@famulari.name> > +Date: Tue, 5 Jan 2016 17:15:33 -0500 > +Subject: [PATCH 3/4] Disable SSLv2 and SSLv3. > + > +The only remaining methods are TLS FIXME which Oops, I forgot to fill this out. > +--- > + fm.h | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/fm.h b/fm.h > +index 320906c..ddcd4fc 100644 > +--- a/fm.h > ++++ b/fm.h > +@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE); > + #endif /* defined(USE_SSL) && > + * defined(USE_SSL_VERIFY) */ > + #ifdef USE_SSL > +-global char *ssl_forbid_method init(NULL); > ++global char *ssl_forbid_method init("2, 3"); > + #endif > + > + global int is_redisplay init(FALSE); > +-- > +2.6.4 > + > diff --git a/gnu/packages/patches/w3m-disable-weak-ciphers.patch b/gnu/packages/patches/w3m-disable-weak-ciphers.patch > new file mode 100644 > index 0000000..4a739ee > --- /dev/null > +++ b/gnu/packages/patches/w3m-disable-weak-ciphers.patch > @@ -0,0 +1,27 @@ > +From f29e8344b3dbc95971edfca090e991c413990ba1 Mon Sep 17 00:00:00 2001 > +From: Leo Famulari <leo@famulari.name> > +Date: Tue, 5 Jan 2016 18:24:33 -0500 > +Subject: [PATCH 4/4] Disable weak ciphers > + > +Disable RC4, "export ciphers", and all keys < 128 bits. > + > +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/w3m/+bug/1325674 > +--- > + url.c | 1 + > + 1 file changed, 1 insertion(+) > + > +diff --git a/url.c b/url.c > +index ed6062e..e86b1f3 100644 > +--- a/url.c > ++++ b/url.c > +@@ -326,6 +326,7 @@ openSSLHandle(int sock, char *hostname, char **p_cert) > + SSL_load_error_strings(); > + if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method()))) > + goto eend; > ++ SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP"); > + option = SSL_OP_ALL; > + if (ssl_forbid_method) { > + if (strchr(ssl_forbid_method, '2')) > +-- > +2.6.4 > + > diff --git a/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch > new file mode 100644 > index 0000000..726c548 > --- /dev/null > +++ b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch > @@ -0,0 +1,27 @@ > +From 760bfc04b5b86441d13c77e0306e315907544b64 Mon Sep 17 00:00:00 2001 > +From: Leo Famulari <leo@famulari.name> > +Date: Tue, 5 Jan 2016 17:15:18 -0500 > +Subject: [PATCH 2/4] Force ssl_verify_server on. > + > +By default, SSL/TLS certificates are not verified. This enables the > +verification. > +--- > + fm.h | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/fm.h b/fm.h > +index 8378939..320906c 100644 > +--- a/fm.h > ++++ b/fm.h > +@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE); > + #endif > + > + #if defined(USE_SSL) && defined(USE_SSL_VERIFY) > +-global int ssl_verify_server init(FALSE); > ++global int ssl_verify_server init(TRUE); > + global char *ssl_cert_file init(NULL); > + global char *ssl_key_file init(NULL); > + global char *ssl_ca_path init(NULL); > +-- > +2.6.4 > + > diff --git a/gnu/packages/w3m.scm b/gnu/packages/w3m.scm > index 627447b..36e11a6 100644 > --- a/gnu/packages/w3m.scm > +++ b/gnu/packages/w3m.scm > @@ -44,7 +44,10 @@ > "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579")) > > ;; cf. https://bugs.archlinux.org/task/33397 > - (patches (list (search-patch "w3m-fix-compile.patch"))) > + (patches (list (search-patch "w3m-fix-compile.patch") > + (search-patch "w3m-force-ssl_verify_server-on.patch") > + (search-patch "w3m-disable-sslv2-and-sslv3.patch") > + (search-patch "w3m-disable-weak-ciphers.patch"))))) > (build-system gnu-build-system) > (arguments `(#:tests? #f ; no check target > #:phases (alist-cons-before > -- > 2.6.4 > > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers. 2016-01-06 1:49 ` Leo Famulari @ 2016-01-06 2:05 ` Leo Famulari 0 siblings, 0 replies; 5+ messages in thread From: Leo Famulari @ 2016-01-06 2:05 UTC (permalink / raw) To: guix-devel On Tue, Jan 05, 2016 at 08:49:12PM -0500, Leo Famulari wrote: > On Tue, Jan 05, 2016 at 08:11:12PM -0500, Leo Famulari wrote: > > * gnu/packages/patches/w3m-force-ssl_verify_server-on.patch: New file. > > * gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch: New file. > > * gnu/packages/patches/w3m-disable-weak-ciphers.patch: New file. > > * gnu/packages/w3m.scm (w3m)[source]: Add patches. > > * gnu-system.am (dist_patch_DATA): Add the new files. > > --- > > gnu-system.am | 3 +++ > > .../patches/w3m-disable-sslv2-and-sslv3.patch | 26 +++++++++++++++++++++ > > .../patches/w3m-disable-weak-ciphers.patch | 27 ++++++++++++++++++++++ > > .../patches/w3m-force-ssl_verify_server-on.patch | 27 ++++++++++++++++++++++ > > gnu/packages/w3m.scm | 5 +++- > > 5 files changed, 87 insertions(+), 1 deletion(-) > > create mode 100644 gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch > > create mode 100644 gnu/packages/patches/w3m-disable-weak-ciphers.patch > > create mode 100644 gnu/packages/patches/w3m-force-ssl_verify_server-on.patch > > > > diff --git a/gnu-system.am b/gnu-system.am > > index 3dd49fe..ea1dfda 100644 > > --- a/gnu-system.am > > +++ b/gnu-system.am > > @@ -699,6 +699,9 @@ dist_patch_DATA = \ > > gnu/packages/patches/vpnc-script.patch \ > > gnu/packages/patches/vtk-mesa-10.patch \ > > gnu/packages/patches/w3m-fix-compile.patch \ > > + gnu/packages/patches/w3m-force-ssl_verify_server-on.patch \ > > + gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch \ > > + gnu/packages/patches/w3m-disable-weak-ciphers.patch \ > > gnu/packages/patches/webkitgtk-2.4-sql-init-string.patch \ > > gnu/packages/patches/weechat-python.patch \ > > gnu/packages/patches/weex-vacopy.patch \ > > diff --git a/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch > > new file mode 100644 > > index 0000000..66989b4 > > --- /dev/null > > +++ b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch > > @@ -0,0 +1,26 @@ > > +From cd63b1a4d70de7023ebebd0d69d99944def66340 Mon Sep 17 00:00:00 2001 > > +From: Leo Famulari <leo@famulari.name> > > +Date: Tue, 5 Jan 2016 17:15:33 -0500 > > +Subject: [PATCH 3/4] Disable SSLv2 and SSLv3. > > + > > +The only remaining methods are TLS FIXME which > > Oops, I forgot to fill this out. Updated patch set sent as v3. > > > +--- > > + fm.h | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +diff --git a/fm.h b/fm.h > > +index 320906c..ddcd4fc 100644 > > +--- a/fm.h > > ++++ b/fm.h > > +@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE); > > + #endif /* defined(USE_SSL) && > > + * defined(USE_SSL_VERIFY) */ > > + #ifdef USE_SSL > > +-global char *ssl_forbid_method init(NULL); > > ++global char *ssl_forbid_method init("2, 3"); > > + #endif > > + > > + global int is_redisplay init(FALSE); > > +-- > > +2.6.4 > > + > > diff --git a/gnu/packages/patches/w3m-disable-weak-ciphers.patch b/gnu/packages/patches/w3m-disable-weak-ciphers.patch > > new file mode 100644 > > index 0000000..4a739ee > > --- /dev/null > > +++ b/gnu/packages/patches/w3m-disable-weak-ciphers.patch > > @@ -0,0 +1,27 @@ > > +From f29e8344b3dbc95971edfca090e991c413990ba1 Mon Sep 17 00:00:00 2001 > > +From: Leo Famulari <leo@famulari.name> > > +Date: Tue, 5 Jan 2016 18:24:33 -0500 > > +Subject: [PATCH 4/4] Disable weak ciphers > > + > > +Disable RC4, "export ciphers", and all keys < 128 bits. > > + > > +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/w3m/+bug/1325674 > > +--- > > + url.c | 1 + > > + 1 file changed, 1 insertion(+) > > + > > +diff --git a/url.c b/url.c > > +index ed6062e..e86b1f3 100644 > > +--- a/url.c > > ++++ b/url.c > > +@@ -326,6 +326,7 @@ openSSLHandle(int sock, char *hostname, char **p_cert) > > + SSL_load_error_strings(); > > + if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method()))) > > + goto eend; > > ++ SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP"); > > + option = SSL_OP_ALL; > > + if (ssl_forbid_method) { > > + if (strchr(ssl_forbid_method, '2')) > > +-- > > +2.6.4 > > + > > diff --git a/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch > > new file mode 100644 > > index 0000000..726c548 > > --- /dev/null > > +++ b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch > > @@ -0,0 +1,27 @@ > > +From 760bfc04b5b86441d13c77e0306e315907544b64 Mon Sep 17 00:00:00 2001 > > +From: Leo Famulari <leo@famulari.name> > > +Date: Tue, 5 Jan 2016 17:15:18 -0500 > > +Subject: [PATCH 2/4] Force ssl_verify_server on. > > + > > +By default, SSL/TLS certificates are not verified. This enables the > > +verification. > > +--- > > + fm.h | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +diff --git a/fm.h b/fm.h > > +index 8378939..320906c 100644 > > +--- a/fm.h > > ++++ b/fm.h > > +@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE); > > + #endif > > + > > + #if defined(USE_SSL) && defined(USE_SSL_VERIFY) > > +-global int ssl_verify_server init(FALSE); > > ++global int ssl_verify_server init(TRUE); > > + global char *ssl_cert_file init(NULL); > > + global char *ssl_key_file init(NULL); > > + global char *ssl_ca_path init(NULL); > > +-- > > +2.6.4 > > + > > diff --git a/gnu/packages/w3m.scm b/gnu/packages/w3m.scm > > index 627447b..36e11a6 100644 > > --- a/gnu/packages/w3m.scm > > +++ b/gnu/packages/w3m.scm > > @@ -44,7 +44,10 @@ > > "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579")) > > > > ;; cf. https://bugs.archlinux.org/task/33397 > > - (patches (list (search-patch "w3m-fix-compile.patch"))) > > + (patches (list (search-patch "w3m-fix-compile.patch") > > + (search-patch "w3m-force-ssl_verify_server-on.patch") > > + (search-patch "w3m-disable-sslv2-and-sslv3.patch") > > + (search-patch "w3m-disable-weak-ciphers.patch"))))) > > (build-system gnu-build-system) > > (arguments `(#:tests? #f ; no check target > > #:phases (alist-cons-before > > -- > > 2.6.4 > > > > > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-01-06 2:05 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-01-06 1:11 [v2 0/2] w3m: Enable SSL / TLS Leo Famulari 2016-01-06 1:11 ` [v2 1/2] gnu: w3m: Update patch to use '-p1' Leo Famulari 2016-01-06 1:11 ` [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers Leo Famulari 2016-01-06 1:49 ` Leo Famulari 2016-01-06 2:05 ` Leo Famulari
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).