| commit | a83ff1f565a4a7bc25a4b8353ee26bc1b97410e3 | |
| author | Kalle Olavi Niemitalo <kon@iki.fi> | |
| Sat, 26 Jul 2008 22:24:36 +0000 (27 01:24 +0300) | ||
| committer | Kalle Olavi Niemitalo <Kalle@Astalo.kon.iki.fi> | |
| Sat, 26 Jul 2008 22:39:01 +0000 (27 01:39 +0300) | ||
| tree | 51d3a4905ffb022d278862924d1f430ee0c01da0 | treesnapshot (tar.gz zip) |
| parent | 5ef63a5d01836b3e5073809a4d3c7e839efb24f8 | commitdiff |
1040: Blacklist servers that support SSL3 but not TLS1.
It seems GnuTLS is not as good at negotiating a supported protocol as
OpenSSL is. ELinks tries to work around that by retrying with a
different protocol if the SSL library reports an error. However,
ELinks must not automatically retry POST requests where some data may
have already reached the server; POST is not a safe method in HTTP.
So instead, collect the name of the TLS-incapable server in a blacklist
when ELinks e.g. loads an HTML form from it; the actual POST can then
immediately use the protocol that worked.
It's a bit ugly that src/network/socket.c now uses
protocol/http/blacklist.h. It might be better to move the blacklist
files out of the http directory, and perhaps merge them with the
BitTorrent blacklisting code.
It seems GnuTLS is not as good at negotiating a supported protocol as
OpenSSL is. ELinks tries to work around that by retrying with a
different protocol if the SSL library reports an error. However,
ELinks must not automatically retry POST requests where some data may
have already reached the server; POST is not a safe method in HTTP.
So instead, collect the name of the TLS-incapable server in a blacklist
when ELinks e.g. loads an HTML form from it; the actual POST can then
immediately use the protocol that worked.
It's a bit ugly that src/network/socket.c now uses
protocol/http/blacklist.h. It might be better to move the blacklist
files out of the http directory, and perhaps merge them with the
BitTorrent blacklisting code.