invalid GnuTLS ciphers string for GnuTLS < 2.11.5

[James Ralston]

FileZilla supports GnuTLS versions 2.8.3 and later.

However, in src/engine/tlssocket.cpp, the following code appears:

#if GNUTLS_VERSION_NUMBER >= 0x030100
char const ciphers[] = "SECURE256:+SECURE128:+ARCFOUR-128:-3DES-CBC:-MD5:+SIGN-ALL:-SIGN-RSA-MD5:+CTYPE-X509:-CTYPE-OPENPGP";
#else
// Versions before 3.1.0 cannot combine level keywords
char const ciphers[] = "SECURE128:+ARCFOUR-128:-3DES-CBC:-MD5:+SIGN-ALL:-SIGN-RSA-MD5:+CTYPE-X509:-CTYPE-OPENPGP";
#endif

But this is wrong, because SIGN-ALL wasn't added to GnuTLS until version 2.11.5. From the GnuTLS ​NEWS file:

* Version 2.11.5 (released 2010-12-01)

** libgnutls: Reverted default behavior for verification and
introduced GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT. Thus by default
V1 trusted CAs are allowed, unless the new flag is specified.

** libgnutls: Correctly add leading zero to PKCS #8 encoded DSA key.
Reported by Jeffrey Walton.

** libgnutls: Added SIGN-ALL, CTYPE-ALL, COMP-ALL, and VERS-TLS-ALL
as priority strings. Those allow to set all the supported algorithms
at once.

Because of this bug, FTPS support is broken on Red Hat Enterprise Linux 6, which is a very common Linux distribution.

I created the attached patch. I've tested the patch locally, and verified that FileZilla can now properly make TLS-enabled FTP connections on RHEL6. Could you please apply it?

One caveat: you should verify that my selection of signature algorithms is reasonable.

Thanks!

[James Ralston]

patch to correct FileZilla's ciphers string for GnuTLS < 2.11.5