From 582a887e61cea2dd0f64d462d919f8688fb7862f Mon Sep 17 00:00:00 2001
From: Tim Ruehsen <address@hidden>
Date: Thu, 16 Oct 2014 20:44:56 +0200
Subject: [PATCH] GnuTLS: do not use SSLv3 except explicitely requested

---
 src/ChangeLog | 4 ++++
 src/gnutls.c  | 5 +++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 1c4e2d5..00d3c10 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,7 @@
+2014-10-16  Tim Ruehsen  <address@hidden>
+
+	* gnutls.c (ssl_connect_wget): do not use SSLv3 except explicitely requested
+
 2014-05-03  Tim Ruehsen  <address@hidden>

 	* retr.c (retrieve_url): fixed memory leak
diff --git a/src/gnutls.c b/src/gnutls.c
index c09b7a2..75627e1 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -436,6 +436,7 @@ ssl_connect_wget (int fd, const char *hostname)
   switch (opt.secure_protocol)
     {
     case secure_protocol_auto:
+      err = gnutls_priority_set_direct (session, "NORMAL:%COMPAT:-VERS-SSL3.0", NULL);
       break;
     case secure_protocol_sslv2:
     case secure_protocol_sslv3:
@@ -445,10 +446,10 @@ ssl_connect_wget (int fd, const char *hostname)
       err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0", NULL);
       break;
     case secure_protocol_pfs:
-      err = gnutls_priority_set_direct (session, "PFS", NULL);
+      err = gnutls_priority_set_direct (session, "PFS:-VERS-SSL3.0", NULL);
       if (err != GNUTLS_E_SUCCESS)
         /* fallback if PFS is not available */
-        err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
+        err = gnutls_priority_set_direct (session, "NORMAL:-RSA:-VERS-SSL3.0", NULL);
       break;
     default:
       abort ();
--
2.1.1