Mercurial Mercurial > upstream > oracle > x-cons > x-s12-clone / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
20231103 problem in X11/VNC s12_76
authorAlan Coopersmith <Alan.Coopersmith@Oracle.COM>
Wed, 03 Jun 2015 13:30:36 -0700
changeset 1542 eb65194dfd59
parent 1541 a4afd91ee391
child 1543 fcd3736b01dc
20231103 problem in X11/VNC
open-src/xserver/xvnc/Makefile file | annotate | diff | comparison | revisions
open-src/xserver/xvnc/gnutls-disable-sslv3.patch file | annotate | diff | comparison | revisions 
--- a/open-src/xserver/xvnc/Makefile	Wed May 27 16:45:04 2015 -0700
+++ b/open-src/xserver/xvnc/Makefile	Wed Jun 03 13:30:36 2015 -0700
@@ -82,6 +82,7 @@
 SOURCE_PATCHES += 17950657.patch,-p1
 SOURCE_PATCHES += studio12.4-patch,-p1
 SOURCE_PATCHES += CVE-2014-8240.patch,-p1
+SOURCE_PATCHES += gnutls-disable-sslv3.patch,-p1
 
 # Need to regenerate autoconf/automake files after patching
 AUTORECONF=yes
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/open-src/xserver/xvnc/gnutls-disable-sslv3.patch	Wed Jun 03 13:30:36 2015 -0700
@@ -0,0 +1,38 @@
+Disable SSLv3 as long as we're using GNU TLS 2.8 - we should be able to drop
+this once we upgrade to GNU TLS 3.4.0 or later, which disable it by default
+per http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007535.html
+
+diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
+index 3421de5..3a55d16 100644
+--- a/common/rfb/CSecurityTLS.cxx
++++ b/common/rfb/CSecurityTLS.cxx
+@@ -184,8 +184,10 @@ bool CSecurityTLS::processMsg(CConnection* cc)
+     if (gnutls_init(&session, GNUTLS_CLIENT) != GNUTLS_E_SUCCESS)
+       throw AuthFailureException("gnutls_init failed");
+ 
+-    if (gnutls_set_default_priority(session) != GNUTLS_E_SUCCESS)
+-      throw AuthFailureException("gnutls_set_default_priority failed");
++    // SSL 3.0 is enabled by default in GNU TLS 2.8, but we want it off
++    if (gnutls_priority_set_direct(session, "NORMAL:-VERS-SSL3.0", NULL)
++	!= GNUTLS_E_SUCCESS)
++      throw AuthFailureException("gnutls_priority_set_direct failed");
+ 
+     setParam();
+     
+diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
+index 2ea84e0..5cd4739 100644
+--- a/common/rfb/SSecurityTLS.cxx
++++ b/common/rfb/SSecurityTLS.cxx
+@@ -137,8 +137,10 @@ bool SSecurityTLS::processMsg(SConnection *sc)
+     if (gnutls_init(&session, GNUTLS_SERVER) != GNUTLS_E_SUCCESS)
+       throw AuthFailureException("gnutls_init failed");
+ 
+-    if (gnutls_set_default_priority(session) != GNUTLS_E_SUCCESS)
+-      throw AuthFailureException("gnutls_set_default_priority failed");
++    // SSL 3.0 is enabled by default in GNU TLS 2.8, but we want it off
++    if (gnutls_priority_set_direct(session, "NORMAL:-VERS-SSL3.0", NULL)
++	!= GNUTLS_E_SUCCESS)
++      throw AuthFailureException("gnutls_priority_set_direct failed");
+ 
+     try {
+       setParams(session);
upstream/oracle/x-cons/x-s12-clone