From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: [v2 2/2] gnu: w3m: Enable SSL, disable broken protocols and
	ciphers.
Date: Tue, 5 Jan 2016 20:49:12 -0500
Message-ID: <20160106014912.GA19070@jasmine>
References: <cover.1452042322.git.leo@famulari.name>
	<d54e3f576279d76d3e1e8e1a068b7817aeb6c1da.1452042322.git.leo@famulari.name>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:52109)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1aGdE0-0004Ky-42
	for guix-devel@gnu.org; Tue, 05 Jan 2016 20:49:21 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1aGdDr-0005j4-7C
	for guix-devel@gnu.org; Tue, 05 Jan 2016 20:49:15 -0500
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:47392)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1aGdDr-0005iw-0W
	for guix-devel@gnu.org; Tue, 05 Jan 2016 20:49:11 -0500
Received: from localhost (c-69-249-5-231.hsd1.pa.comcast.net [69.249.5.231])
	by mail.messagingengine.com (Postfix) with ESMTPA id 412EBC016F0
	for <guix-devel@gnu.org>; Tue,  5 Jan 2016 20:49:10 -0500 (EST)
Content-Disposition: inline
In-Reply-To: <d54e3f576279d76d3e1e8e1a068b7817aeb6c1da.1452042322.git.leo@famulari.name>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: guix-devel@gnu.org

On Tue, Jan 05, 2016 at 08:11:12PM -0500, Leo Famulari wrote:
> * gnu/packages/patches/w3m-force-ssl_verify_server-on.patch: New file.
> * gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch: New file.
> * gnu/packages/patches/w3m-disable-weak-ciphers.patch: New file.
> * gnu/packages/w3m.scm (w3m)[source]: Add patches.
> * gnu-system.am (dist_patch_DATA): Add the new files.
> ---
>  gnu-system.am                                      |  3 +++
>  .../patches/w3m-disable-sslv2-and-sslv3.patch      | 26 +++++++++++++++++++++
>  .../patches/w3m-disable-weak-ciphers.patch         | 27 ++++++++++++++++++++++
>  .../patches/w3m-force-ssl_verify_server-on.patch   | 27 ++++++++++++++++++++++
>  gnu/packages/w3m.scm                               |  5 +++-
>  5 files changed, 87 insertions(+), 1 deletion(-)
>  create mode 100644 gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
>  create mode 100644 gnu/packages/patches/w3m-disable-weak-ciphers.patch
>  create mode 100644 gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
> 
> diff --git a/gnu-system.am b/gnu-system.am
> index 3dd49fe..ea1dfda 100644
> --- a/gnu-system.am
> +++ b/gnu-system.am
> @@ -699,6 +699,9 @@ dist_patch_DATA =						\
>    gnu/packages/patches/vpnc-script.patch			\
>    gnu/packages/patches/vtk-mesa-10.patch			\
>    gnu/packages/patches/w3m-fix-compile.patch			\
> +  gnu/packages/patches/w3m-force-ssl_verify_server-on.patch	\
> +  gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch	\
> +  gnu/packages/patches/w3m-disable-weak-ciphers.patch		\
>    gnu/packages/patches/webkitgtk-2.4-sql-init-string.patch	\
>    gnu/packages/patches/weechat-python.patch			\
>    gnu/packages/patches/weex-vacopy.patch			\
> diff --git a/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
> new file mode 100644
> index 0000000..66989b4
> --- /dev/null
> +++ b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
> @@ -0,0 +1,26 @@
> +From cd63b1a4d70de7023ebebd0d69d99944def66340 Mon Sep 17 00:00:00 2001
> +From: Leo Famulari <leo@famulari.name>
> +Date: Tue, 5 Jan 2016 17:15:33 -0500
> +Subject: [PATCH 3/4] Disable SSLv2 and SSLv3.
> +
> +The only remaining methods are TLS FIXME which

Oops, I forgot to fill this out.

> +---
> + fm.h | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/fm.h b/fm.h
> +index 320906c..ddcd4fc 100644
> +--- a/fm.h
> ++++ b/fm.h
> +@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE);
> + #endif				/* defined(USE_SSL) &&
> + 				 * defined(USE_SSL_VERIFY) */
> + #ifdef USE_SSL
> +-global char *ssl_forbid_method init(NULL);
> ++global char *ssl_forbid_method init("2, 3");
> + #endif
> + 
> + global int is_redisplay init(FALSE);
> +-- 
> +2.6.4
> +
> diff --git a/gnu/packages/patches/w3m-disable-weak-ciphers.patch b/gnu/packages/patches/w3m-disable-weak-ciphers.patch
> new file mode 100644
> index 0000000..4a739ee
> --- /dev/null
> +++ b/gnu/packages/patches/w3m-disable-weak-ciphers.patch
> @@ -0,0 +1,27 @@
> +From f29e8344b3dbc95971edfca090e991c413990ba1 Mon Sep 17 00:00:00 2001
> +From: Leo Famulari <leo@famulari.name>
> +Date: Tue, 5 Jan 2016 18:24:33 -0500
> +Subject: [PATCH 4/4] Disable weak ciphers
> +
> +Disable RC4, "export ciphers", and all keys < 128 bits.
> +
> +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/w3m/+bug/1325674
> +---
> + url.c | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/url.c b/url.c
> +index ed6062e..e86b1f3 100644
> +--- a/url.c
> ++++ b/url.c
> +@@ -326,6 +326,7 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
> + 	SSL_load_error_strings();
> + 	if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method())))
> + 	    goto eend;
> ++	SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP");
> + 	option = SSL_OP_ALL;
> + 	if (ssl_forbid_method) {
> + 	    if (strchr(ssl_forbid_method, '2'))
> +-- 
> +2.6.4
> +
> diff --git a/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
> new file mode 100644
> index 0000000..726c548
> --- /dev/null
> +++ b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
> @@ -0,0 +1,27 @@
> +From 760bfc04b5b86441d13c77e0306e315907544b64 Mon Sep 17 00:00:00 2001
> +From: Leo Famulari <leo@famulari.name>
> +Date: Tue, 5 Jan 2016 17:15:18 -0500
> +Subject: [PATCH 2/4] Force ssl_verify_server on.
> +
> +By default, SSL/TLS certificates are not verified. This enables the
> +verification.
> +---
> + fm.h | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/fm.h b/fm.h
> +index 8378939..320906c 100644
> +--- a/fm.h
> ++++ b/fm.h
> +@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE);
> + #endif
> + 
> + #if defined(USE_SSL) && defined(USE_SSL_VERIFY)
> +-global int ssl_verify_server init(FALSE);
> ++global int ssl_verify_server init(TRUE);
> + global char *ssl_cert_file init(NULL);
> + global char *ssl_key_file init(NULL);
> + global char *ssl_ca_path init(NULL);
> +-- 
> +2.6.4
> +
> diff --git a/gnu/packages/w3m.scm b/gnu/packages/w3m.scm
> index 627447b..36e11a6 100644
> --- a/gnu/packages/w3m.scm
> +++ b/gnu/packages/w3m.scm
> @@ -44,7 +44,10 @@
>                 "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579"))
>  
>               ;; cf. https://bugs.archlinux.org/task/33397
> -             (patches (list (search-patch "w3m-fix-compile.patch")))
> +             (patches (list (search-patch "w3m-fix-compile.patch")
> +                            (search-patch "w3m-force-ssl_verify_server-on.patch")
> +                            (search-patch "w3m-disable-sslv2-and-sslv3.patch")
> +                            (search-patch "w3m-disable-weak-ciphers.patch")))))
>      (build-system gnu-build-system)
>      (arguments `(#:tests? #f  ; no check target
>                   #:phases (alist-cons-before
> -- 
> 2.6.4
> 
>