1469N/ADisable SSLv3 as long as we're using GNU TLS 2.8 - we should be able to drop

1469N/Athis once we upgrade to GNU TLS 3.4.0 or later, which disable it by default

1469N/Aper http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007535.html

1469N/A

1469N/Adiff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx

1469N/Aindex 3421de5..3a55d16 100644

1469N/A--- a/common/rfb/CSecurityTLS.cxx

1469N/A+++ b/common/rfb/CSecurityTLS.cxx

1469N/A@@ -184,8 +184,10 @@ bool CSecurityTLS::processMsg(CConnection* cc)

1469N/A if (gnutls_init(&session, GNUTLS_CLIENT) != GNUTLS_E_SUCCESS)

1469N/A throw AuthFailureException("gnutls_init failed");

1469N/A

1469N/A- if (gnutls_set_default_priority(session) != GNUTLS_E_SUCCESS)

1469N/A- throw AuthFailureException("gnutls_set_default_priority failed");

1469N/A+ // SSL 3.0 is enabled by default in GNU TLS 2.8, but we want it off

1469N/A+ if (gnutls_priority_set_direct(session, "NORMAL:-VERS-SSL3.0", NULL)

1469N/A+ != GNUTLS_E_SUCCESS)

1469N/A+ throw AuthFailureException("gnutls_priority_set_direct failed");

1469N/A

1469N/A setParam();

1469N/A

1469N/Adiff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx

1469N/Aindex 2ea84e0..5cd4739 100644

1469N/A--- a/common/rfb/SSecurityTLS.cxx

1469N/A+++ b/common/rfb/SSecurityTLS.cxx

1469N/A@@ -137,8 +137,10 @@ bool SSecurityTLS::processMsg(SConnection *sc)

1469N/A if (gnutls_init(&session, GNUTLS_SERVER) != GNUTLS_E_SUCCESS)

1469N/A throw AuthFailureException("gnutls_init failed");

1469N/A

1469N/A- if (gnutls_set_default_priority(session) != GNUTLS_E_SUCCESS)

1469N/A- throw AuthFailureException("gnutls_set_default_priority failed");

1469N/A+ // SSL 3.0 is enabled by default in GNU TLS 2.8, but we want it off

1469N/A+ if (gnutls_priority_set_direct(session, "NORMAL:-VERS-SSL3.0", NULL)

1469N/A+ != GNUTLS_E_SUCCESS)

1469N/A+ throw AuthFailureException("gnutls_priority_set_direct failed");

1469N/A

1469N/A try {

1469N/A setParams(session);