From eb483c9f259028f9d40ef5c693b85ab82fe9ade0 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivano@gnu.org>
Date: Sat, 3 Jul 2010 13:48:15 +0200
Subject: [PATCH] Honor the --secure-protocol flag in the GNU TLS backend.

---
 src/ChangeLog |  5 +++++
 src/gnutls.c  | 29 +++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/src/ChangeLog b/src/ChangeLog
index f27f969f..a062fdfb 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2010-07-03  Giuseppe Scrivano  <gscrivano@gnu.org>
+
+	* gnutls.c (ssl_connect_wget): New local variable `allowed_protocols'.
+	Honor the --secure-protocol flag.
+
 2010-06-20  Giuseppe Scrivano  <gscrivano@gnu.org>
 
 	* main.c (print_help): Fix help string for --random-wait.  Its range is
diff --git a/src/gnutls.c b/src/gnutls.c
index 782c7486..3c4c5b4c 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -196,6 +196,7 @@ ssl_connect_wget (int fd)
   struct wgnutls_transport_context *ctx;
   gnutls_session session;
   int err;
+  int allowed_protocols[4] = {0, 0, 0, 0};
   gnutls_init (&session, GNUTLS_CLIENT);
   gnutls_set_default_priority (session);
   gnutls_certificate_type_set_priority (session, cert_type_priority);
@@ -204,6 +205,33 @@ ssl_connect_wget (int fd)
 # define FD_TO_SOCKET(X) (X)
 #endif
   gnutls_transport_set_ptr (session, (gnutls_transport_ptr) FD_TO_SOCKET (fd));
+
+  err = 0;
+  switch (opt.secure_protocol)
+    {
+    case secure_protocol_auto:
+      break;
+    case secure_protocol_sslv2:
+    case secure_protocol_sslv3:
+      allowed_protocols[0] = GNUTLS_SSL3;
+      err = gnutls_protocol_set_priority (session, allowed_protocols);
+      break;
+    case secure_protocol_tlsv1:
+      allowed_protocols[0] = GNUTLS_TLS1_0;
+      allowed_protocols[1] = GNUTLS_TLS1_1;
+      allowed_protocols[2] = GNUTLS_TLS1_2;
+      err = gnutls_protocol_set_priority (session, allowed_protocols);
+      break;
+    default:
+      abort ();
+    }
+  if (err < 0)
+    {
+      logprintf (LOG_NOTQUIET, "GnuTLS: %s\n", gnutls_strerror (err));
+      gnutls_deinit (session);
+      return false;
+    }
+
   err = gnutls_handshake (session);
   if (err < 0)
     {
@@ -211,6 +239,7 @@ ssl_connect_wget (int fd)
       gnutls_deinit (session);
       return false;
     }
+
   ctx = xnew0 (struct wgnutls_transport_context);
   ctx->session = session;
   fd_register_transport (fd, &wgnutls_transport, ctx);
-- 
2.39.2