2012-08-09 [colin] 3.8.1cvs26

[claws.git] / src / common / ssl.c

diff --git a/src/common/ssl.c b/src/common/ssl.c
index a16c58ac3074d269c9f67c92453fb67721e3dcf2..9e8b242b7548bfac03a7cb5a6cab89043de7cc5a 100644 (file)
--- a/src/common/ssl.c
+++ b/src/common/ssl.c
@@ -1,6 +1,6 @@
 /*
  * Sylpheed -- a GTK+ based, lightweight, and fast e-mail client
- * Copyright (C) 1999-2009 Hiroyuki Yamamoto and the Claws Mail team
+ * Copyright (C) 1999-2012 Hiroyuki Yamamoto and the Claws Mail team
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -19,6 +19,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include "config.h"
+#include "claws-features.h"
 #endif
 
 #ifdef USE_GNUTLS
@@ -29,8 +30,11 @@
 #include <glib/gi18n.h>
 #include <errno.h>
 #include <pthread.h>
+
+#if GNUTLS_VERSION_NUMBER <= 0x020b00
 #include <gcrypt.h>
 GCRY_THREAD_OPTION_PTHREAD_IMPL;
+#endif
 
 #include "claws.h"
 #include "utils.h"
@@ -101,6 +105,7 @@ const gchar *claws_ssl_get_cert_file(void)
        const char *cert_files[]={
                "/etc/pki/tls/certs/ca-bundle.crt",
                "/etc/certs/ca-bundle.crt",
+               "/etc/ssl/ca-bundle.pem",
                "/usr/share/ssl/certs/ca-bundle.crt",
                "/etc/ssl/certs/ca-certificates.crt",
                "/usr/local/ssl/certs/ca-bundle.crt",
@@ -153,7 +158,9 @@ const gchar *claws_ssl_get_cert_dir(void)
 
 void ssl_init(void)
 {
+#if GNUTLS_VERSION_NUMBER <= 0x020b00
        gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
+#endif
 #ifdef HAVE_LIBETPAN
        mailstream_gnutls_init_not_required();
 #endif 
@@ -246,17 +253,6 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method)
 {
        gnutls_session session;
        int r;
-       const int cipher_prio[] = { GNUTLS_CIPHER_AES_128_CBC,
-                               GNUTLS_CIPHER_3DES_CBC,
-                               GNUTLS_CIPHER_AES_256_CBC,
-                               GNUTLS_CIPHER_ARCFOUR_128, 0 };
-       const int kx_prio[] = { GNUTLS_KX_DHE_RSA,
-                          GNUTLS_KX_RSA, 
-                          GNUTLS_KX_DHE_DSS, 0 };
-       const int mac_prio[] = { GNUTLS_MAC_SHA1,
-                               GNUTLS_MAC_MD5, 0 };
-       const int proto_prio[] = { GNUTLS_TLS1,
-                                 GNUTLS_SSL3, 0 };
        const gnutls_datum *raw_cert_list;
        unsigned int raw_cert_list_length;
        gnutls_x509_crt cert = NULL;
@@ -269,12 +265,15 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method)
        r = gnutls_init(&session, GNUTLS_CLIENT);
        if (session == NULL || r != 0)
                return FALSE;
-  
-       gnutls_set_default_priority(session);
-       gnutls_protocol_set_priority (session, proto_prio);
-       gnutls_cipher_set_priority (session, cipher_prio);
-       gnutls_kx_set_priority (session, kx_prio);
-       gnutls_mac_set_priority (session, mac_prio);
+
+#if GNUTLS_VERSION_NUMBER < 0x030003
+       gnutls_transport_set_lowat (session, 0); 
+#endif
+       if (method == 0)
+               gnutls_priority_set_direct(session, "NORMAL:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2", NULL);
+       else
+               gnutls_priority_set_direct(session, "NORMAL", NULL);
+       gnutls_record_disable_padding(session);
 
        gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
 
@@ -317,7 +316,7 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method)
 
        r = gnutls_certificate_verify_peers2(session, &status);
 
-       if (!ssl_certificate_check(cert, status, sockinfo->canonical_name, sockinfo->hostname, sockinfo->port)) {
+       if (!ssl_certificate_check(cert, status, sockinfo->hostname, sockinfo->port)) {
                gnutls_x509_crt_deinit(cert);
                gnutls_certificate_free_credentials(xcred);
                gnutls_deinit(session);