download: Add "%COMPAT" to the priority string.

Fixes <http://bugs.gnu.org/23311>. * guix/build/download.scm (tls-wrap): Add 'set-session-priorities!' call.
2026-04-08 22:20:38 +02:00 · 2016-04-20 13:12:57 +02:00
parent 083b3a0e25
commit 967ee481e8
1 changed files with 7 additions and 0 deletions
--- a/guix/build/download.scm
+++ b/guix/build/download.scm
@@ -274,6 +274,13 @@ host name without trailing dot."

    (set-session-transport-fd! session (fileno port))
    (set-session-default-priority! session)
+
+    ;; The "%COMPAT" bit allows us to work around firewall issues (info
+    ;; "(gnutls) Priority Strings"); see <http://bugs.gnu.org/23311>.
+    ;; Explicitly disable SSLv3, which is insecure:
+    ;; <https://tools.ietf.org/html/rfc7568>.
+    (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0")
+
    (set-session-credentials! session (make-certificate-credentials))

    ;; Uncomment the following lines in case of debugging emergency.