From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers. Date: Tue, 5 Jan 2016 21:05:24 -0500 Message-ID: <20160106020524.GA19892@jasmine> References: <20160106014912.GA19070@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:56500) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aGdTb-0005yw-Nn for guix-devel@gnu.org; Tue, 05 Jan 2016 21:05:29 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aGdTX-0000tx-IR for guix-devel@gnu.org; Tue, 05 Jan 2016 21:05:27 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:33219) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aGdTX-0000tt-ES for guix-devel@gnu.org; Tue, 05 Jan 2016 21:05:23 -0500 Received: from localhost (c-69-249-5-231.hsd1.pa.comcast.net [69.249.5.231]) by mail.messagingengine.com (Postfix) with ESMTPA id 0BB10C016DB for ; Tue, 5 Jan 2016 21:05:23 -0500 (EST) Content-Disposition: inline In-Reply-To: <20160106014912.GA19070@jasmine> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel@gnu.org On Tue, Jan 05, 2016 at 08:49:12PM -0500, Leo Famulari wrote: > On Tue, Jan 05, 2016 at 08:11:12PM -0500, Leo Famulari wrote: > > * gnu/packages/patches/w3m-force-ssl_verify_server-on.patch: New file. > > * gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch: New file. > > * gnu/packages/patches/w3m-disable-weak-ciphers.patch: New file. > > * gnu/packages/w3m.scm (w3m)[source]: Add patches. > > * gnu-system.am (dist_patch_DATA): Add the new files. > > --- > > gnu-system.am | 3 +++ > > .../patches/w3m-disable-sslv2-and-sslv3.patch | 26 +++++++++++++++++++++ > > .../patches/w3m-disable-weak-ciphers.patch | 27 ++++++++++++++++++++++ > > .../patches/w3m-force-ssl_verify_server-on.patch | 27 ++++++++++++++++++++++ > > gnu/packages/w3m.scm | 5 +++- > > 5 files changed, 87 insertions(+), 1 deletion(-) > > create mode 100644 gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch > > create mode 100644 gnu/packages/patches/w3m-disable-weak-ciphers.patch > > create mode 100644 gnu/packages/patches/w3m-force-ssl_verify_server-on.patch > > > > diff --git a/gnu-system.am b/gnu-system.am > > index 3dd49fe..ea1dfda 100644 > > --- a/gnu-system.am > > +++ b/gnu-system.am > > @@ -699,6 +699,9 @@ dist_patch_DATA = \ > > gnu/packages/patches/vpnc-script.patch \ > > gnu/packages/patches/vtk-mesa-10.patch \ > > gnu/packages/patches/w3m-fix-compile.patch \ > > + gnu/packages/patches/w3m-force-ssl_verify_server-on.patch \ > > + gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch \ > > + gnu/packages/patches/w3m-disable-weak-ciphers.patch \ > > gnu/packages/patches/webkitgtk-2.4-sql-init-string.patch \ > > gnu/packages/patches/weechat-python.patch \ > > gnu/packages/patches/weex-vacopy.patch \ > > diff --git a/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch > > new file mode 100644 > > index 0000000..66989b4 > > --- /dev/null > > +++ b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch > > @@ -0,0 +1,26 @@ > > +From cd63b1a4d70de7023ebebd0d69d99944def66340 Mon Sep 17 00:00:00 2001 > > +From: Leo Famulari > > +Date: Tue, 5 Jan 2016 17:15:33 -0500 > > +Subject: [PATCH 3/4] Disable SSLv2 and SSLv3. > > + > > +The only remaining methods are TLS FIXME which > > Oops, I forgot to fill this out. Updated patch set sent as v3. > > > +--- > > + fm.h | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +diff --git a/fm.h b/fm.h > > +index 320906c..ddcd4fc 100644 > > +--- a/fm.h > > ++++ b/fm.h > > +@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE); > > + #endif /* defined(USE_SSL) && > > + * defined(USE_SSL_VERIFY) */ > > + #ifdef USE_SSL > > +-global char *ssl_forbid_method init(NULL); > > ++global char *ssl_forbid_method init("2, 3"); > > + #endif > > + > > + global int is_redisplay init(FALSE); > > +-- > > +2.6.4 > > + > > diff --git a/gnu/packages/patches/w3m-disable-weak-ciphers.patch b/gnu/packages/patches/w3m-disable-weak-ciphers.patch > > new file mode 100644 > > index 0000000..4a739ee > > --- /dev/null > > +++ b/gnu/packages/patches/w3m-disable-weak-ciphers.patch > > @@ -0,0 +1,27 @@ > > +From f29e8344b3dbc95971edfca090e991c413990ba1 Mon Sep 17 00:00:00 2001 > > +From: Leo Famulari > > +Date: Tue, 5 Jan 2016 18:24:33 -0500 > > +Subject: [PATCH 4/4] Disable weak ciphers > > + > > +Disable RC4, "export ciphers", and all keys < 128 bits. > > + > > +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/w3m/+bug/1325674 > > +--- > > + url.c | 1 + > > + 1 file changed, 1 insertion(+) > > + > > +diff --git a/url.c b/url.c > > +index ed6062e..e86b1f3 100644 > > +--- a/url.c > > ++++ b/url.c > > +@@ -326,6 +326,7 @@ openSSLHandle(int sock, char *hostname, char **p_cert) > > + SSL_load_error_strings(); > > + if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method()))) > > + goto eend; > > ++ SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP"); > > + option = SSL_OP_ALL; > > + if (ssl_forbid_method) { > > + if (strchr(ssl_forbid_method, '2')) > > +-- > > +2.6.4 > > + > > diff --git a/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch > > new file mode 100644 > > index 0000000..726c548 > > --- /dev/null > > +++ b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch > > @@ -0,0 +1,27 @@ > > +From 760bfc04b5b86441d13c77e0306e315907544b64 Mon Sep 17 00:00:00 2001 > > +From: Leo Famulari > > +Date: Tue, 5 Jan 2016 17:15:18 -0500 > > +Subject: [PATCH 2/4] Force ssl_verify_server on. > > + > > +By default, SSL/TLS certificates are not verified. This enables the > > +verification. > > +--- > > + fm.h | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +diff --git a/fm.h b/fm.h > > +index 8378939..320906c 100644 > > +--- a/fm.h > > ++++ b/fm.h > > +@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE); > > + #endif > > + > > + #if defined(USE_SSL) && defined(USE_SSL_VERIFY) > > +-global int ssl_verify_server init(FALSE); > > ++global int ssl_verify_server init(TRUE); > > + global char *ssl_cert_file init(NULL); > > + global char *ssl_key_file init(NULL); > > + global char *ssl_ca_path init(NULL); > > +-- > > +2.6.4 > > + > > diff --git a/gnu/packages/w3m.scm b/gnu/packages/w3m.scm > > index 627447b..36e11a6 100644 > > --- a/gnu/packages/w3m.scm > > +++ b/gnu/packages/w3m.scm > > @@ -44,7 +44,10 @@ > > "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579")) > > > > ;; cf. https://bugs.archlinux.org/task/33397 > > - (patches (list (search-patch "w3m-fix-compile.patch"))) > > + (patches (list (search-patch "w3m-fix-compile.patch") > > + (search-patch "w3m-force-ssl_verify_server-on.patch") > > + (search-patch "w3m-disable-sslv2-and-sslv3.patch") > > + (search-patch "w3m-disable-weak-ciphers.patch"))))) > > (build-system gnu-build-system) > > (arguments `(#:tests? #f ; no check target > > #:phases (alist-cons-before > > -- > > 2.6.4 > > > > >