diff -Naurp lftp-4.4.8.orig/doc/lftp.1 lftp-4.4.8/doc/lftp.1
--- lftp-4.4.8.orig/doc/lftp.1 2015-05-13 11:31:55.000000000 +0200
+++ lftp-4.4.8/doc/lftp.1 2015-05-13 16:34:46.648020240 +0200
@@ -1865,6 +1865,14 @@ when true, use Server Name Indication (S
if set to yes, then verify server's certificate to be signed by a known
Certificate Authority and not be on Certificate Revocation List.
.TP
+.BR ssl:priority " (string)"
+free form priority string for GnuTLS. If built with OpenSSL the understood
+values are \fI+\fP or \fI-\fP followed by SSL3.0, TLS1.0, TLS1.1 or TLS1.2,
+separated by \fI:\fP. Example:
+.Ds
+set ssl:priority "NORMAL:-SSL3.0:-TLS1.0:-TLS1.1:+TLS1.2"
+.De
+.TP
.BR torrent:ip " (ipv4 address)"
IP address to send to the tracker. Specify it if you are using an HTTP proxy.
.TP
diff -Naurp lftp-4.4.8.orig/src/lftp_ssl.cc lftp-4.4.8/src/lftp_ssl.cc
--- lftp-4.4.8.orig/src/lftp_ssl.cc 2013-03-19 13:55:58.000000000 +0100
+++ lftp-4.4.8/src/lftp_ssl.cc 2015-05-13 17:41:43.752418022 +0200
@@ -270,10 +270,20 @@ lftp_ssl_gnutls::lftp_ssl_gnutls(int fd1
gnutls_transport_set_ptr(session,(gnutls_transport_ptr_t)fd);
- // hack for some ftp servers
- const char *auth=ResMgr::Query("ftp:ssl-auth", hostname);
- if(auth && !strncmp(auth, "SSL", 3))
- gnutls_priority_set_direct(session, "NORMAL:+SSL3.0:-TLS1.0:-TLS1.1:-TLS1.2",0);
+ const char *priority=ResMgr::Query("ssl:priority", 0);
+ if(priority && *priority)
+ {
+ int res = gnutls_priority_set_direct(session, priority, 0);
+ if(res != GNUTLS_E_SUCCESS)
+ Log::global->Format(0,"gnutls_priority_set_direct(`%s'): %s\n",priority,gnutls_strerror(res));
+ }
+ else
+ {
+ // hack for some ftp servers
+ const char *auth=ResMgr::Query("ftp:ssl-auth", hostname);
+ if(auth && !strncmp(auth, "SSL", 3))
+ gnutls_priority_set_direct(session, "NORMAL:+SSL3.0:-TLS1.0:-TLS1.1:-TLS1.2",0);
+ }
if(h && ResMgr::QueryBool("ssl:use-sni",h)) {
if(gnutls_server_name_set(session, GNUTLS_NAME_DNS, h, xstrlen(h)) < 0)
@@ -771,7 +781,32 @@ lftp_ssl_openssl_instance::lftp_ssl_open
#else
SSLeay_add_ssl_algorithms();
ssl_ctx=SSL_CTX_new(SSLv23_client_method());
- SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL|SSL_OP_NO_TICKET|SSL_OP_NO_SSLv2);
+ long options=SSL_OP_ALL|SSL_OP_NO_TICKET|SSL_OP_NO_SSLv2;
+ const char *priority=ResMgr::Query("ssl:priority", 0);
+ if(priority && *priority)
+ {
+ static const struct ssl_option {
+ const char name[8];
+ long option;
+ } opt_table[] ={
+ {"-SSL3.0",SSL_OP_NO_SSLv3},
+ {"-TLS1.0",SSL_OP_NO_TLSv1},
+ {"-TLS1.1",SSL_OP_NO_TLSv1_1},
+ {"-TLS1.2",SSL_OP_NO_TLSv1_2},
+ {"",0}
+ };
+ char *to_parse=alloca_strdup(priority);
+ for(char *ptr=strtok(to_parse,":"); ptr; ptr=strtok(NULL,":")) {
+ for(const ssl_option *opt=opt_table; opt->name[0]; opt++) {
+ if(!strcmp(ptr,opt->name)) {
+ options|=opt->option;
+ Log::global->Format(9,"ssl: applied %s option\n",ptr);
+ break;
+ }
+ }
+ }
+ }
+ SSL_CTX_set_options(ssl_ctx, options);
SSL_CTX_set_cipher_list(ssl_ctx, "ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH");
SSL_CTX_set_verify(ssl_ctx,SSL_VERIFY_PEER,lftp_ssl_openssl::verify_callback);
// SSL_CTX_set_default_passwd_cb(ssl_ctx,lftp_ssl_passwd_callback);
diff -Naurp lftp-4.4.8.orig/src/resource.cc lftp-4.4.8/src/resource.cc
--- lftp-4.4.8.orig/src/resource.cc 2013-03-19 14:00:36.000000000 +0100
+++ lftp-4.4.8/src/resource.cc 2015-05-13 17:57:40.885954120 +0200
@@ -354,6 +354,7 @@ static ResType lftp_vars[] = {
{"ssl:check-hostname", "yes", ResMgr::BoolValidate,0},
{"ssl:verify-certificate", "yes", ResMgr::BoolValidate,0},
{"ssl:use-sni", "yes", ResMgr::BoolValidate,0},
+ {"ssl:priority", "", 0,0},
# if USE_OPENSSL
{"ssl:ca-path", "", ResMgr::DirReadable,ResMgr::NoClosure},
{"ssl:crl-path", "", ResMgr::DirReadable,ResMgr::NoClosure},