[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#34102: [staging] Guix fails to download from TLSv1.3-enabled servers
From: |
Ricardo Wurmus |
Subject: |
bug#34102: [staging] Guix fails to download from TLSv1.3-enabled servers |
Date: |
Fri, 25 Jan 2019 15:04:51 +0100 |
User-agent: |
mu4e 1.0; emacs 26.1 |
Ludovic Courtès <address@hidden> writes:
>> This is an obvious merge blocker, help wanted! Disabling TLS1.3 in the
>> priority string works as a last-resort workaround.
>
> Yes, that’s a stop-gap measure we should probably apply for now:
>
> diff --git a/guix/build/download.scm b/guix/build/download.scm
> index c08221b3b2..23c9a4d466 100644
> --- a/guix/build/download.scm
> +++ b/guix/build/download.scm
> @@ -268,7 +268,10 @@ host name without trailing dot."
> ;; "(gnutls) Priority Strings"); see <http://bugs.gnu.org/23311>.
> ;; Explicitly disable SSLv3, which is insecure:
> ;; <https://tools.ietf.org/html/rfc7568>.
> - (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0")
> + ;;
> + ;; FIXME: Since we currently fail to handle TLS 1.3, remove it; see
> + ;; <https://bugs.gnu.org/34102>.
> + (set-session-priorities! session
> "NORMAL:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.3")
>
> (set-session-credentials! session
> (if (and verify-certificate? ca-certs)
>
> Any objections?
I think it’s fine to do this to allow us to merge the staging branch
before fixing the problem in the Guile bindings.
--
Ricardo