better backport availability for PFS feature

diff --git a/src/ChangeLog b/src/ChangeLog
index 81320ca48f206876daf1cb3e54eb21df76785f1a..23c210b0ccecc35752f0a3e27b790a6e40bf4e71 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,9 @@
+2013-09-09  Tim Ruehsen  <tim.ruehsen@gmx.de>
+
+       * gnutls.c (ssl_connect_wget): changed checking of option "PFS"
+         to be better prepared for some kinds of backports.
+         Reported by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+
 2013-10-10  Giuseppe Scrivano  <gscrivan@redhat.com>
 
        * url.c (url_parse): Try to convert UTF-8 URLs to IDN.

diff --git a/src/gnutls.c b/src/gnutls.c
index 94dfaedd0f39b3211a2347196f815ce2d4a37a9c..9b4b1ec0d8e98b38b514cf5e3f30a9f089e993d7 100644 (file)
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -443,9 +443,9 @@ ssl_connect_wget (int fd, const char *hostname)
       err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0", NULL);
       break;
     case secure_protocol_pfs:
-      if (gnutls_check_version("3.2.4"))
-        err = gnutls_priority_set_direct (session, "PFS", NULL);
-      else
+      err = gnutls_priority_set_direct (session, "PFS", NULL);
+      if (err != GNUTLS_E_SUCCESS)
+        /* fallback if PFS is not available */
         err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
       break;
     default: