invalid GnuTLS ciphers string for GnuTLS < 2.11.5
|Reported by:||James Ralston||Owned by:|
|Component version:||Operating system type:||Linux|
|Operating system version:||RHEL6|
Description (last modified by )
FileZilla supports GnuTLS versions 2.8.3 and later.
However, in src/engine/tlssocket.cpp, the following code appears:
#if GNUTLS_VERSION_NUMBER >= 0x030100 char const ciphers = "SECURE256:+SECURE128:+ARCFOUR-128:-3DES-CBC:-MD5:+SIGN-ALL:-SIGN-RSA-MD5:+CTYPE-X509:-CTYPE-OPENPGP"; #else // Versions before 3.1.0 cannot combine level keywords char const ciphers = "SECURE128:+ARCFOUR-128:-3DES-CBC:-MD5:+SIGN-ALL:-SIGN-RSA-MD5:+CTYPE-X509:-CTYPE-OPENPGP"; #endif
But this is wrong, because SIGN-ALL wasn't added to GnuTLS until version 2.11.5. From the GnuTLS NEWS file:
* Version 2.11.5 (released 2010-12-01) ** libgnutls: Reverted default behavior for verification and introduced GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT. Thus by default V1 trusted CAs are allowed, unless the new flag is specified. ** libgnutls: Correctly add leading zero to PKCS #8 encoded DSA key. Reported by Jeffrey Walton. ** libgnutls: Added SIGN-ALL, CTYPE-ALL, COMP-ALL, and VERS-TLS-ALL as priority strings. Those allow to set all the supported algorithms at once.
Because of this bug, FTPS support is broken on Red Hat Enterprise Linux 6, which is a very common Linux distribution.
I created the attached patch. I've tested the patch locally, and verified that FileZilla can now properly make TLS-enabled FTP connections on RHEL6. Could you please apply it?
One caveat: you should verify that my selection of signature algorithms is reasonable.