* [v2 0/2] w3m: Enable SSL / TLS.
@ 2016-01-06 1:11 Leo Famulari
2016-01-06 1:11 ` [v2 1/2] gnu: w3m: Update patch to use '-p1' Leo Famulari
2016-01-06 1:11 ` [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers Leo Famulari
0 siblings, 2 replies; 5+ messages in thread
From: Leo Famulari @ 2016-01-06 1:11 UTC (permalink / raw)
To: guix-devel
Here is another take on bug#16791.
This updates an existing patch to work with `patch -p1` and then applies
patches that enable SSL / TLS verification and disable broken SSL
protocols and ciphers.
Thoughts?
Leo Famulari (2):
gnu: w3m: Update patch to use '-p1'.
gnu: w3m: Enable SSL, disable broken protocols and ciphers.
gnu-system.am | 3 +++
.../patches/w3m-disable-sslv2-and-sslv3.patch | 26 +++++++++++++++++++++
.../patches/w3m-disable-weak-ciphers.patch | 27 ++++++++++++++++++++++
gnu/packages/patches/w3m-fix-compile.patch | 24 ++++++++++++++-----
.../patches/w3m-force-ssl_verify_server-on.patch | 27 ++++++++++++++++++++++
gnu/packages/w3m.scm | 7 ++++--
6 files changed, 106 insertions(+), 8 deletions(-)
create mode 100644 gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
create mode 100644 gnu/packages/patches/w3m-disable-weak-ciphers.patch
create mode 100644 gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
--
2.6.4
^ permalink raw reply [flat|nested] 5+ messages in thread
* [v2 1/2] gnu: w3m: Update patch to use '-p1'.
2016-01-06 1:11 [v2 0/2] w3m: Enable SSL / TLS Leo Famulari
@ 2016-01-06 1:11 ` Leo Famulari
2016-01-06 1:11 ` [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers Leo Famulari
1 sibling, 0 replies; 5+ messages in thread
From: Leo Famulari @ 2016-01-06 1:11 UTC (permalink / raw)
To: guix-devel
* gnu/packages/patches/w3m-fix-compile.patch: Update to work with -p1.
* gnu/packages/w3m.scm (w3m): Drop patch flag -p0.
---
gnu/packages/patches/w3m-fix-compile.patch | 24 ++++++++++++++++++------
gnu/packages/w3m.scm | 2 +-
2 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/gnu/packages/patches/w3m-fix-compile.patch b/gnu/packages/patches/w3m-fix-compile.patch
index 5604052..33e7486 100644
--- a/gnu/packages/patches/w3m-fix-compile.patch
+++ b/gnu/packages/patches/w3m-fix-compile.patch
@@ -1,15 +1,27 @@
+From 371f256f5f300b01be228a6fd95884ea475965fc Mon Sep 17 00:00:00 2001
+From: Leo Famulari <leo@famulari.name>
+Date: Tue, 5 Jan 2016 16:57:29 -0500
+Subject: [PATCH 1/4] fix compile
+
https://bugs.archlinux.org/task/33397
+---
+ main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
-diff -aur old/main.c new/main.c
---- main.c 2013-01-14 18:16:14.216210053 -0600
-+++ main.c 2013-01-14 18:17:28.816220559 -0600
-@@ -833,7 +833,8 @@
+diff --git a/main.c b/main.c
+index b421943..249eb1a 100644
+--- a/main.c
++++ b/main.c
+@@ -833,7 +833,8 @@ main(int argc, char **argv, char **envp)
mySignal(SIGPIPE, SigPipe);
#endif
-
+
- orig_GC_warn_proc = GC_set_warn_proc(wrap_GC_warn_proc);
+ orig_GC_warn_proc = GC_get_warn_proc();
+ GC_set_warn_proc(wrap_GC_warn_proc);
err_msg = Strnew();
if (load_argc == 0) {
- /* no URL specified */
+ /* no URL specified */
+--
+2.6.4
+
diff --git a/gnu/packages/w3m.scm b/gnu/packages/w3m.scm
index d114d0a..627447b 100644
--- a/gnu/packages/w3m.scm
+++ b/gnu/packages/w3m.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
+;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -44,7 +45,6 @@
;; cf. https://bugs.archlinux.org/task/33397
(patches (list (search-patch "w3m-fix-compile.patch")))
- (patch-flags '("-p0"))))
(build-system gnu-build-system)
(arguments `(#:tests? #f ; no check target
#:phases (alist-cons-before
--
2.6.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers.
2016-01-06 1:11 [v2 0/2] w3m: Enable SSL / TLS Leo Famulari
2016-01-06 1:11 ` [v2 1/2] gnu: w3m: Update patch to use '-p1' Leo Famulari
@ 2016-01-06 1:11 ` Leo Famulari
2016-01-06 1:49 ` Leo Famulari
1 sibling, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-01-06 1:11 UTC (permalink / raw)
To: guix-devel
* gnu/packages/patches/w3m-force-ssl_verify_server-on.patch: New file.
* gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch: New file.
* gnu/packages/patches/w3m-disable-weak-ciphers.patch: New file.
* gnu/packages/w3m.scm (w3m)[source]: Add patches.
* gnu-system.am (dist_patch_DATA): Add the new files.
---
gnu-system.am | 3 +++
.../patches/w3m-disable-sslv2-and-sslv3.patch | 26 +++++++++++++++++++++
.../patches/w3m-disable-weak-ciphers.patch | 27 ++++++++++++++++++++++
.../patches/w3m-force-ssl_verify_server-on.patch | 27 ++++++++++++++++++++++
gnu/packages/w3m.scm | 5 +++-
5 files changed, 87 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
create mode 100644 gnu/packages/patches/w3m-disable-weak-ciphers.patch
create mode 100644 gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
diff --git a/gnu-system.am b/gnu-system.am
index 3dd49fe..ea1dfda 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -699,6 +699,9 @@ dist_patch_DATA = \
gnu/packages/patches/vpnc-script.patch \
gnu/packages/patches/vtk-mesa-10.patch \
gnu/packages/patches/w3m-fix-compile.patch \
+ gnu/packages/patches/w3m-force-ssl_verify_server-on.patch \
+ gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch \
+ gnu/packages/patches/w3m-disable-weak-ciphers.patch \
gnu/packages/patches/webkitgtk-2.4-sql-init-string.patch \
gnu/packages/patches/weechat-python.patch \
gnu/packages/patches/weex-vacopy.patch \
diff --git a/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
new file mode 100644
index 0000000..66989b4
--- /dev/null
+++ b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
@@ -0,0 +1,26 @@
+From cd63b1a4d70de7023ebebd0d69d99944def66340 Mon Sep 17 00:00:00 2001
+From: Leo Famulari <leo@famulari.name>
+Date: Tue, 5 Jan 2016 17:15:33 -0500
+Subject: [PATCH 3/4] Disable SSLv2 and SSLv3.
+
+The only remaining methods are TLS FIXME which
+---
+ fm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fm.h b/fm.h
+index 320906c..ddcd4fc 100644
+--- a/fm.h
++++ b/fm.h
+@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE);
+ #endif /* defined(USE_SSL) &&
+ * defined(USE_SSL_VERIFY) */
+ #ifdef USE_SSL
+-global char *ssl_forbid_method init(NULL);
++global char *ssl_forbid_method init("2, 3");
+ #endif
+
+ global int is_redisplay init(FALSE);
+--
+2.6.4
+
diff --git a/gnu/packages/patches/w3m-disable-weak-ciphers.patch b/gnu/packages/patches/w3m-disable-weak-ciphers.patch
new file mode 100644
index 0000000..4a739ee
--- /dev/null
+++ b/gnu/packages/patches/w3m-disable-weak-ciphers.patch
@@ -0,0 +1,27 @@
+From f29e8344b3dbc95971edfca090e991c413990ba1 Mon Sep 17 00:00:00 2001
+From: Leo Famulari <leo@famulari.name>
+Date: Tue, 5 Jan 2016 18:24:33 -0500
+Subject: [PATCH 4/4] Disable weak ciphers
+
+Disable RC4, "export ciphers", and all keys < 128 bits.
+
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/w3m/+bug/1325674
+---
+ url.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/url.c b/url.c
+index ed6062e..e86b1f3 100644
+--- a/url.c
++++ b/url.c
+@@ -326,6 +326,7 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
+ SSL_load_error_strings();
+ if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method())))
+ goto eend;
++ SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP");
+ option = SSL_OP_ALL;
+ if (ssl_forbid_method) {
+ if (strchr(ssl_forbid_method, '2'))
+--
+2.6.4
+
diff --git a/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
new file mode 100644
index 0000000..726c548
--- /dev/null
+++ b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
@@ -0,0 +1,27 @@
+From 760bfc04b5b86441d13c77e0306e315907544b64 Mon Sep 17 00:00:00 2001
+From: Leo Famulari <leo@famulari.name>
+Date: Tue, 5 Jan 2016 17:15:18 -0500
+Subject: [PATCH 2/4] Force ssl_verify_server on.
+
+By default, SSL/TLS certificates are not verified. This enables the
+verification.
+---
+ fm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fm.h b/fm.h
+index 8378939..320906c 100644
+--- a/fm.h
++++ b/fm.h
+@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE);
+ #endif
+
+ #if defined(USE_SSL) && defined(USE_SSL_VERIFY)
+-global int ssl_verify_server init(FALSE);
++global int ssl_verify_server init(TRUE);
+ global char *ssl_cert_file init(NULL);
+ global char *ssl_key_file init(NULL);
+ global char *ssl_ca_path init(NULL);
+--
+2.6.4
+
diff --git a/gnu/packages/w3m.scm b/gnu/packages/w3m.scm
index 627447b..36e11a6 100644
--- a/gnu/packages/w3m.scm
+++ b/gnu/packages/w3m.scm
@@ -44,7 +44,10 @@
"1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579"))
;; cf. https://bugs.archlinux.org/task/33397
- (patches (list (search-patch "w3m-fix-compile.patch")))
+ (patches (list (search-patch "w3m-fix-compile.patch")
+ (search-patch "w3m-force-ssl_verify_server-on.patch")
+ (search-patch "w3m-disable-sslv2-and-sslv3.patch")
+ (search-patch "w3m-disable-weak-ciphers.patch")))))
(build-system gnu-build-system)
(arguments `(#:tests? #f ; no check target
#:phases (alist-cons-before
--
2.6.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers.
2016-01-06 1:11 ` [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers Leo Famulari
@ 2016-01-06 1:49 ` Leo Famulari
2016-01-06 2:05 ` Leo Famulari
0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-01-06 1:49 UTC (permalink / raw)
To: guix-devel
On Tue, Jan 05, 2016 at 08:11:12PM -0500, Leo Famulari wrote:
> * gnu/packages/patches/w3m-force-ssl_verify_server-on.patch: New file.
> * gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch: New file.
> * gnu/packages/patches/w3m-disable-weak-ciphers.patch: New file.
> * gnu/packages/w3m.scm (w3m)[source]: Add patches.
> * gnu-system.am (dist_patch_DATA): Add the new files.
> ---
> gnu-system.am | 3 +++
> .../patches/w3m-disable-sslv2-and-sslv3.patch | 26 +++++++++++++++++++++
> .../patches/w3m-disable-weak-ciphers.patch | 27 ++++++++++++++++++++++
> .../patches/w3m-force-ssl_verify_server-on.patch | 27 ++++++++++++++++++++++
> gnu/packages/w3m.scm | 5 +++-
> 5 files changed, 87 insertions(+), 1 deletion(-)
> create mode 100644 gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
> create mode 100644 gnu/packages/patches/w3m-disable-weak-ciphers.patch
> create mode 100644 gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
>
> diff --git a/gnu-system.am b/gnu-system.am
> index 3dd49fe..ea1dfda 100644
> --- a/gnu-system.am
> +++ b/gnu-system.am
> @@ -699,6 +699,9 @@ dist_patch_DATA = \
> gnu/packages/patches/vpnc-script.patch \
> gnu/packages/patches/vtk-mesa-10.patch \
> gnu/packages/patches/w3m-fix-compile.patch \
> + gnu/packages/patches/w3m-force-ssl_verify_server-on.patch \
> + gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch \
> + gnu/packages/patches/w3m-disable-weak-ciphers.patch \
> gnu/packages/patches/webkitgtk-2.4-sql-init-string.patch \
> gnu/packages/patches/weechat-python.patch \
> gnu/packages/patches/weex-vacopy.patch \
> diff --git a/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
> new file mode 100644
> index 0000000..66989b4
> --- /dev/null
> +++ b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
> @@ -0,0 +1,26 @@
> +From cd63b1a4d70de7023ebebd0d69d99944def66340 Mon Sep 17 00:00:00 2001
> +From: Leo Famulari <leo@famulari.name>
> +Date: Tue, 5 Jan 2016 17:15:33 -0500
> +Subject: [PATCH 3/4] Disable SSLv2 and SSLv3.
> +
> +The only remaining methods are TLS FIXME which
Oops, I forgot to fill this out.
> +---
> + fm.h | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/fm.h b/fm.h
> +index 320906c..ddcd4fc 100644
> +--- a/fm.h
> ++++ b/fm.h
> +@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE);
> + #endif /* defined(USE_SSL) &&
> + * defined(USE_SSL_VERIFY) */
> + #ifdef USE_SSL
> +-global char *ssl_forbid_method init(NULL);
> ++global char *ssl_forbid_method init("2, 3");
> + #endif
> +
> + global int is_redisplay init(FALSE);
> +--
> +2.6.4
> +
> diff --git a/gnu/packages/patches/w3m-disable-weak-ciphers.patch b/gnu/packages/patches/w3m-disable-weak-ciphers.patch
> new file mode 100644
> index 0000000..4a739ee
> --- /dev/null
> +++ b/gnu/packages/patches/w3m-disable-weak-ciphers.patch
> @@ -0,0 +1,27 @@
> +From f29e8344b3dbc95971edfca090e991c413990ba1 Mon Sep 17 00:00:00 2001
> +From: Leo Famulari <leo@famulari.name>
> +Date: Tue, 5 Jan 2016 18:24:33 -0500
> +Subject: [PATCH 4/4] Disable weak ciphers
> +
> +Disable RC4, "export ciphers", and all keys < 128 bits.
> +
> +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/w3m/+bug/1325674
> +---
> + url.c | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/url.c b/url.c
> +index ed6062e..e86b1f3 100644
> +--- a/url.c
> ++++ b/url.c
> +@@ -326,6 +326,7 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
> + SSL_load_error_strings();
> + if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method())))
> + goto eend;
> ++ SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP");
> + option = SSL_OP_ALL;
> + if (ssl_forbid_method) {
> + if (strchr(ssl_forbid_method, '2'))
> +--
> +2.6.4
> +
> diff --git a/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
> new file mode 100644
> index 0000000..726c548
> --- /dev/null
> +++ b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
> @@ -0,0 +1,27 @@
> +From 760bfc04b5b86441d13c77e0306e315907544b64 Mon Sep 17 00:00:00 2001
> +From: Leo Famulari <leo@famulari.name>
> +Date: Tue, 5 Jan 2016 17:15:18 -0500
> +Subject: [PATCH 2/4] Force ssl_verify_server on.
> +
> +By default, SSL/TLS certificates are not verified. This enables the
> +verification.
> +---
> + fm.h | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/fm.h b/fm.h
> +index 8378939..320906c 100644
> +--- a/fm.h
> ++++ b/fm.h
> +@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE);
> + #endif
> +
> + #if defined(USE_SSL) && defined(USE_SSL_VERIFY)
> +-global int ssl_verify_server init(FALSE);
> ++global int ssl_verify_server init(TRUE);
> + global char *ssl_cert_file init(NULL);
> + global char *ssl_key_file init(NULL);
> + global char *ssl_ca_path init(NULL);
> +--
> +2.6.4
> +
> diff --git a/gnu/packages/w3m.scm b/gnu/packages/w3m.scm
> index 627447b..36e11a6 100644
> --- a/gnu/packages/w3m.scm
> +++ b/gnu/packages/w3m.scm
> @@ -44,7 +44,10 @@
> "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579"))
>
> ;; cf. https://bugs.archlinux.org/task/33397
> - (patches (list (search-patch "w3m-fix-compile.patch")))
> + (patches (list (search-patch "w3m-fix-compile.patch")
> + (search-patch "w3m-force-ssl_verify_server-on.patch")
> + (search-patch "w3m-disable-sslv2-and-sslv3.patch")
> + (search-patch "w3m-disable-weak-ciphers.patch")))))
> (build-system gnu-build-system)
> (arguments `(#:tests? #f ; no check target
> #:phases (alist-cons-before
> --
> 2.6.4
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers.
2016-01-06 1:49 ` Leo Famulari
@ 2016-01-06 2:05 ` Leo Famulari
0 siblings, 0 replies; 5+ messages in thread
From: Leo Famulari @ 2016-01-06 2:05 UTC (permalink / raw)
To: guix-devel
On Tue, Jan 05, 2016 at 08:49:12PM -0500, Leo Famulari wrote:
> On Tue, Jan 05, 2016 at 08:11:12PM -0500, Leo Famulari wrote:
> > * gnu/packages/patches/w3m-force-ssl_verify_server-on.patch: New file.
> > * gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch: New file.
> > * gnu/packages/patches/w3m-disable-weak-ciphers.patch: New file.
> > * gnu/packages/w3m.scm (w3m)[source]: Add patches.
> > * gnu-system.am (dist_patch_DATA): Add the new files.
> > ---
> > gnu-system.am | 3 +++
> > .../patches/w3m-disable-sslv2-and-sslv3.patch | 26 +++++++++++++++++++++
> > .../patches/w3m-disable-weak-ciphers.patch | 27 ++++++++++++++++++++++
> > .../patches/w3m-force-ssl_verify_server-on.patch | 27 ++++++++++++++++++++++
> > gnu/packages/w3m.scm | 5 +++-
> > 5 files changed, 87 insertions(+), 1 deletion(-)
> > create mode 100644 gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
> > create mode 100644 gnu/packages/patches/w3m-disable-weak-ciphers.patch
> > create mode 100644 gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
> >
> > diff --git a/gnu-system.am b/gnu-system.am
> > index 3dd49fe..ea1dfda 100644
> > --- a/gnu-system.am
> > +++ b/gnu-system.am
> > @@ -699,6 +699,9 @@ dist_patch_DATA = \
> > gnu/packages/patches/vpnc-script.patch \
> > gnu/packages/patches/vtk-mesa-10.patch \
> > gnu/packages/patches/w3m-fix-compile.patch \
> > + gnu/packages/patches/w3m-force-ssl_verify_server-on.patch \
> > + gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch \
> > + gnu/packages/patches/w3m-disable-weak-ciphers.patch \
> > gnu/packages/patches/webkitgtk-2.4-sql-init-string.patch \
> > gnu/packages/patches/weechat-python.patch \
> > gnu/packages/patches/weex-vacopy.patch \
> > diff --git a/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
> > new file mode 100644
> > index 0000000..66989b4
> > --- /dev/null
> > +++ b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
> > @@ -0,0 +1,26 @@
> > +From cd63b1a4d70de7023ebebd0d69d99944def66340 Mon Sep 17 00:00:00 2001
> > +From: Leo Famulari <leo@famulari.name>
> > +Date: Tue, 5 Jan 2016 17:15:33 -0500
> > +Subject: [PATCH 3/4] Disable SSLv2 and SSLv3.
> > +
> > +The only remaining methods are TLS FIXME which
>
> Oops, I forgot to fill this out.
Updated patch set sent as v3.
>
> > +---
> > + fm.h | 2 +-
> > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > +
> > +diff --git a/fm.h b/fm.h
> > +index 320906c..ddcd4fc 100644
> > +--- a/fm.h
> > ++++ b/fm.h
> > +@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE);
> > + #endif /* defined(USE_SSL) &&
> > + * defined(USE_SSL_VERIFY) */
> > + #ifdef USE_SSL
> > +-global char *ssl_forbid_method init(NULL);
> > ++global char *ssl_forbid_method init("2, 3");
> > + #endif
> > +
> > + global int is_redisplay init(FALSE);
> > +--
> > +2.6.4
> > +
> > diff --git a/gnu/packages/patches/w3m-disable-weak-ciphers.patch b/gnu/packages/patches/w3m-disable-weak-ciphers.patch
> > new file mode 100644
> > index 0000000..4a739ee
> > --- /dev/null
> > +++ b/gnu/packages/patches/w3m-disable-weak-ciphers.patch
> > @@ -0,0 +1,27 @@
> > +From f29e8344b3dbc95971edfca090e991c413990ba1 Mon Sep 17 00:00:00 2001
> > +From: Leo Famulari <leo@famulari.name>
> > +Date: Tue, 5 Jan 2016 18:24:33 -0500
> > +Subject: [PATCH 4/4] Disable weak ciphers
> > +
> > +Disable RC4, "export ciphers", and all keys < 128 bits.
> > +
> > +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/w3m/+bug/1325674
> > +---
> > + url.c | 1 +
> > + 1 file changed, 1 insertion(+)
> > +
> > +diff --git a/url.c b/url.c
> > +index ed6062e..e86b1f3 100644
> > +--- a/url.c
> > ++++ b/url.c
> > +@@ -326,6 +326,7 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
> > + SSL_load_error_strings();
> > + if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method())))
> > + goto eend;
> > ++ SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP");
> > + option = SSL_OP_ALL;
> > + if (ssl_forbid_method) {
> > + if (strchr(ssl_forbid_method, '2'))
> > +--
> > +2.6.4
> > +
> > diff --git a/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
> > new file mode 100644
> > index 0000000..726c548
> > --- /dev/null
> > +++ b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
> > @@ -0,0 +1,27 @@
> > +From 760bfc04b5b86441d13c77e0306e315907544b64 Mon Sep 17 00:00:00 2001
> > +From: Leo Famulari <leo@famulari.name>
> > +Date: Tue, 5 Jan 2016 17:15:18 -0500
> > +Subject: [PATCH 2/4] Force ssl_verify_server on.
> > +
> > +By default, SSL/TLS certificates are not verified. This enables the
> > +verification.
> > +---
> > + fm.h | 2 +-
> > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > +
> > +diff --git a/fm.h b/fm.h
> > +index 8378939..320906c 100644
> > +--- a/fm.h
> > ++++ b/fm.h
> > +@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE);
> > + #endif
> > +
> > + #if defined(USE_SSL) && defined(USE_SSL_VERIFY)
> > +-global int ssl_verify_server init(FALSE);
> > ++global int ssl_verify_server init(TRUE);
> > + global char *ssl_cert_file init(NULL);
> > + global char *ssl_key_file init(NULL);
> > + global char *ssl_ca_path init(NULL);
> > +--
> > +2.6.4
> > +
> > diff --git a/gnu/packages/w3m.scm b/gnu/packages/w3m.scm
> > index 627447b..36e11a6 100644
> > --- a/gnu/packages/w3m.scm
> > +++ b/gnu/packages/w3m.scm
> > @@ -44,7 +44,10 @@
> > "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579"))
> >
> > ;; cf. https://bugs.archlinux.org/task/33397
> > - (patches (list (search-patch "w3m-fix-compile.patch")))
> > + (patches (list (search-patch "w3m-fix-compile.patch")
> > + (search-patch "w3m-force-ssl_verify_server-on.patch")
> > + (search-patch "w3m-disable-sslv2-and-sslv3.patch")
> > + (search-patch "w3m-disable-weak-ciphers.patch")))))
> > (build-system gnu-build-system)
> > (arguments `(#:tests? #f ; no check target
> > #:phases (alist-cons-before
> > --
> > 2.6.4
> >
> >
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-01-06 2:05 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-06 1:11 [v2 0/2] w3m: Enable SSL / TLS Leo Famulari
2016-01-06 1:11 ` [v2 1/2] gnu: w3m: Update patch to use '-p1' Leo Famulari
2016-01-06 1:11 ` [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and ciphers Leo Famulari
2016-01-06 1:49 ` Leo Famulari
2016-01-06 2:05 ` Leo Famulari
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.