bug-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#34102: [staging] Guix fails to download from TLSv1.3-enabled servers

From: Ricardo Wurmus
Subject: bug#34102: [staging] Guix fails to download from TLSv1.3-enabled servers
Date: Fri, 25 Jan 2019 15:04:51 +0100
User-agent: mu4e 1.0; emacs 26.1 
Ludovic Courtès <address@hidden> writes:

>> This is an obvious merge blocker, help wanted!  Disabling TLS1.3 in the
>> priority string works as a last-resort workaround.
>
> Yes, that’s a stop-gap measure we should probably apply for now:
>
> diff --git a/guix/build/download.scm b/guix/build/download.scm
> index c08221b3b2..23c9a4d466 100644
> --- a/guix/build/download.scm
> +++ b/guix/build/download.scm
> @@ -268,7 +268,10 @@ host name without trailing dot."
>      ;; "(gnutls) Priority Strings"); see <http://bugs.gnu.org/23311>.
>      ;; Explicitly disable SSLv3, which is insecure:
>      ;; <https://tools.ietf.org/html/rfc7568>.
> -    (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0")
> +    ;;
> +    ;; FIXME: Since we currently fail to handle TLS 1.3, remove it; see
> +    ;; <https://bugs.gnu.org/34102>.
> +    (set-session-priorities! session 
> "NORMAL:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.3")
>  
>      (set-session-credentials! session
>                                (if (and verify-certificate? ca-certs)
>
> Any objections?

I think it’s fine to do this to allow us to merge the staging branch
before fixing the problem in the Guile bindings.

-- 
Ricardo
reply via email to
[Prev in Thread] Current Thread [Next in Thread]