[SOUP] [GnuTLS] Don't use a SSL3.0 record version in client hello.
authorclopez@igalia.com <clopez@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 18 Nov 2014 09:32:23 +0000 (09:32 +0000)
committerclopez@igalia.com <clopez@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 18 Nov 2014 09:32:23 +0000 (09:32 +0000)
https://bugs.webkit.org/show_bug.cgi?id=138794

Reviewed by Sergio Villar Senin.

It seems that following POODLE many sites incorrectly banned SSL 3.0
record packet versions. Since GnuTLS uses a SSL 3.0 record to
advertise TLS 1.2, they are effectively banning it even if it doesn't
advertise SSL 3.0. That is a server issue, but it can be worked around
by using the modifier %LATEST_RECORD_VERSION.

With this modifier, GnuTLS will use the latest TLS version record
in client hello instead of using the default SSL 3.0.

* NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp:
(main):
* WebProcess/EntryPoint/unix/WebProcessMain.cpp:
(main):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@176252 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit2/ChangeLog
Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp
Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp

index 5038ae9a1f25b3a55880c025079d0af46fc61d43..87ebde2008e13d54fb03c8cda1b2b4b9395bb1f0 100644 (file)
@@ -1,3 +1,24 @@
+2014-11-18  Carlos Alberto Lopez Perez  <clopez@igalia.com>
+
+        [SOUP] [GnuTLS] Don't use a SSL3.0 record version in client hello.
+        https://bugs.webkit.org/show_bug.cgi?id=138794
+
+        Reviewed by Sergio Villar Senin.
+
+        It seems that following POODLE many sites incorrectly banned SSL 3.0
+        record packet versions. Since GnuTLS uses a SSL 3.0 record to
+        advertise TLS 1.2, they are effectively banning it even if it doesn't
+        advertise SSL 3.0. That is a server issue, but it can be worked around
+        by using the modifier %LATEST_RECORD_VERSION.
+
+        With this modifier, GnuTLS will use the latest TLS version record
+        in client hello instead of using the default SSL 3.0.
+
+        * NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp:
+        (main):
+        * WebProcess/EntryPoint/unix/WebProcessMain.cpp:
+        (main):
+
 2014-11-17  Conrad Shultz  <conrad_shultz@apple.com>
 
         Page previews should be loaded sooner
index c42baa8e94e16d8e8e97ae256d9a2496f144f958..1acd133c7d18dee468fe4a907997caaa98db9696 100644 (file)
@@ -39,7 +39,7 @@ int main(int argc, char** argv)
     // overwrite this priority string if it's already set by the user.
     // Keep this in sync with WebProcessMain.cpp.
     // https://bugzilla.gnome.org/show_bug.cgi?id=738633
-    setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0);
+    setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:%LATEST_RECORD_VERSION:!VERS-SSL3.0", 0);
 
     return NetworkProcessMainUnix(argc, argv);
 }
index 260620a766911a8162cbb10717aa137cba3a9271..87b45b3c5c0d336ef869cac761d62e1fd58eae59 100644 (file)
@@ -39,7 +39,7 @@ int main(int argc, char** argv)
     // overwrite this priority string if it's already set by the user.
     // Keep this in sync with NetworkProcessMain.cpp.
     // https://bugzilla.gnome.org/show_bug.cgi?id=738633
-    setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0);
+    setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:%LATEST_RECORD_VERSION:!VERS-SSL3.0", 0);
 
     return WebProcessMainUnix(argc, argv);
 }