Blob Blame History Raw
diff -Naurp lftp-4.4.8.orig/doc/lftp.1 lftp-4.4.8/doc/lftp.1
--- lftp-4.4.8.orig/doc/lftp.1	2015-05-13 11:31:55.000000000 +0200
+++ lftp-4.4.8/doc/lftp.1	2015-05-13 16:34:46.648020240 +0200
@@ -1865,6 +1865,14 @@ when true, use Server Name Indication (S
 if set to yes, then verify server's certificate to be signed by a known
 Certificate Authority and not be on Certificate Revocation List.
 .TP
+.BR ssl:priority " (string)"
+free form priority string for GnuTLS. If built with OpenSSL the understood
+values are \fI+\fP or \fI-\fP followed by SSL3.0, TLS1.0, TLS1.1 or TLS1.2,
+separated by \fI:\fP. Example:
+.Ds
+set ssl:priority "NORMAL:-SSL3.0:-TLS1.0:-TLS1.1:+TLS1.2"
+.De
+.TP
 .BR torrent:ip " (ipv4 address)"
 IP address to send to the tracker. Specify it if you are using an HTTP proxy.
 .TP
diff -Naurp lftp-4.4.8.orig/src/lftp_ssl.cc lftp-4.4.8/src/lftp_ssl.cc
--- lftp-4.4.8.orig/src/lftp_ssl.cc	2013-03-19 13:55:58.000000000 +0100
+++ lftp-4.4.8/src/lftp_ssl.cc	2015-05-13 17:41:43.752418022 +0200
@@ -270,10 +270,20 @@ lftp_ssl_gnutls::lftp_ssl_gnutls(int fd1
 
    gnutls_transport_set_ptr(session,(gnutls_transport_ptr_t)fd);
 
-   // hack for some ftp servers
-   const char *auth=ResMgr::Query("ftp:ssl-auth", hostname);
-   if(auth && !strncmp(auth, "SSL", 3))
-      gnutls_priority_set_direct(session, "NORMAL:+SSL3.0:-TLS1.0:-TLS1.1:-TLS1.2",0);
+   const char *priority=ResMgr::Query("ssl:priority", 0);
+   if(priority && *priority)
+   {
+      int res = gnutls_priority_set_direct(session, priority, 0);
+      if(res != GNUTLS_E_SUCCESS)
+         Log::global->Format(0,"gnutls_priority_set_direct(`%s'): %s\n",priority,gnutls_strerror(res));
+   }
+   else
+   {
+      // hack for some ftp servers
+      const char *auth=ResMgr::Query("ftp:ssl-auth", hostname);
+      if(auth && !strncmp(auth, "SSL", 3))
+         gnutls_priority_set_direct(session, "NORMAL:+SSL3.0:-TLS1.0:-TLS1.1:-TLS1.2",0);
+   }
 
    if(h && ResMgr::QueryBool("ssl:use-sni",h)) {
       if(gnutls_server_name_set(session, GNUTLS_NAME_DNS, h, xstrlen(h)) < 0)
@@ -771,7 +781,32 @@ lftp_ssl_openssl_instance::lftp_ssl_open
 #else
    SSLeay_add_ssl_algorithms();
    ssl_ctx=SSL_CTX_new(SSLv23_client_method());
-   SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL|SSL_OP_NO_TICKET|SSL_OP_NO_SSLv2);
+   long options=SSL_OP_ALL|SSL_OP_NO_TICKET|SSL_OP_NO_SSLv2;
+   const char *priority=ResMgr::Query("ssl:priority", 0);
+   if(priority && *priority)
+   {
+      static const struct ssl_option {
+         const char name[8];
+         long option;
+      } opt_table[] ={
+	 {"-SSL3.0",SSL_OP_NO_SSLv3},
+	 {"-TLS1.0",SSL_OP_NO_TLSv1},
+	 {"-TLS1.1",SSL_OP_NO_TLSv1_1},
+	 {"-TLS1.2",SSL_OP_NO_TLSv1_2},
+	 {"",0}
+      };
+      char *to_parse=alloca_strdup(priority);
+      for(char *ptr=strtok(to_parse,":"); ptr; ptr=strtok(NULL,":")) {
+	 for(const ssl_option *opt=opt_table; opt->name[0]; opt++) {
+	    if(!strcmp(ptr,opt->name)) {
+	       options|=opt->option;
+	       Log::global->Format(9,"ssl: applied %s option\n",ptr);
+	       break;
+	    }
+	 }
+      }
+   }
+   SSL_CTX_set_options(ssl_ctx, options);
    SSL_CTX_set_cipher_list(ssl_ctx, "ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH");
    SSL_CTX_set_verify(ssl_ctx,SSL_VERIFY_PEER,lftp_ssl_openssl::verify_callback);
 //    SSL_CTX_set_default_passwd_cb(ssl_ctx,lftp_ssl_passwd_callback);
diff -Naurp lftp-4.4.8.orig/src/resource.cc lftp-4.4.8/src/resource.cc
--- lftp-4.4.8.orig/src/resource.cc	2013-03-19 14:00:36.000000000 +0100
+++ lftp-4.4.8/src/resource.cc	2015-05-13 17:57:40.885954120 +0200
@@ -354,6 +354,7 @@ static ResType lftp_vars[] = {
    {"ssl:check-hostname",	 "yes",	  ResMgr::BoolValidate,0},
    {"ssl:verify-certificate",	 "yes",	  ResMgr::BoolValidate,0},
    {"ssl:use-sni",		 "yes",	  ResMgr::BoolValidate,0},
+   {"ssl:priority",		 "",	  0,0},
 # if USE_OPENSSL
    {"ssl:ca-path",		 "",	  ResMgr::DirReadable,ResMgr::NoClosure},
    {"ssl:crl-path",		 "",	  ResMgr::DirReadable,ResMgr::NoClosure},