Add a new setting, gnutls_priority_string.

This may be used to modify the GnuTLS priority string used for the
soup session to enable or disable specific ciphers or TLS/SSL
versions.  Default is empty (uses libsoup's defaults).

4 files changed, 53 insertions, 2 deletions

diff --git a/settings.c b/settings.c
index d421429..e697e20 100644
--- a/settings.c
+++ b/settings.c
@@ -114,6 +114,7 @@ int		allow_insecure_content = XT_DS_ALLOW_INSECURE_CONTENT;
 int		allow_insecure_scripts = XT_DS_ALLOW_INSECURE_SCRIPTS;
 int		do_not_track = XT_DS_DO_NOT_TRACK;
 int		preload_strict_transport = XT_DS_PRELOAD_STRICT_TRANSPORT;
+char		*gnutls_priority_string = XT_DS_GNUTLS_PRIORITY_STRING;
 
 char		*cmd_font_name = NULL;	/* these are all set at startup */
 char		*oops_font_name = NULL;
@@ -131,6 +132,7 @@ char		*get_work_dir(struct settings *);
 char		*get_referer(struct settings *);
 char		*get_ssl_ca_file(struct settings *);
 char		*get_userstyle(struct settings *);
+char		*get_gnutls_priority_string(struct settings *);
 
 int		add_cookie_wl(struct settings *, char *);
 int		add_js_wl(struct settings *, char *);
@@ -209,6 +211,7 @@ int		set_allow_insecure_content(char *);
 int		set_allow_insecure_scripts(char *);
 int		set_http_proxy(char *);
 int		set_do_not_track(char *);
+int		set_gnutls_priority_string(struct settings *, char *);
 
 int		check_allow_insecure_content(char **);
 int		check_allow_insecure_scripts(char **);
@@ -244,6 +247,7 @@ int		check_enable_strict_transport(char **);
 int		check_encoding(char **);
 int		check_external_editor(char **);
 int		check_fancy_bar(char **);
+int		check_gnutls_search_string(char **);
 int		check_guess_search(char **);
 int		check_gui_mode(char **);
 int		check_history_autosave(char **);
@@ -473,7 +477,15 @@ struct special		s_userstyle = {
 struct special		s_force_https = {
 	add_force_https,
 	NULL,
-	walk_force_https
+	walk_force_https,
+	{ NULL }
+};
+
+struct special		s_gnutls_priority_string = {
+	set_gnutls_priority_string,
+	get_gnutls_priority_string,
+	NULL,
+	{ NULL }
 };
 
 struct settings		rs[] = {
@@ -512,6 +524,7 @@ struct settings		rs[] = {
 	{ "encoding",			XT_S_STR, 0, NULL,	&encoding, NULL, NULL, NULL, check_encoding, TT_ENCODING },
 	{ "external_editor",		XT_S_STR,0, NULL,	&external_editor, NULL, NULL, set_external_editor, check_external_editor, TT_EXTERNAL_EDITOR },
 	{ "fancy_bar",			XT_S_BOOL,XT_SF_RESTART,&fancy_bar, NULL, NULL, NULL, set_fancy_bar, check_fancy_bar, TT_FANCY_BAR },
+	{ "gnutls_priority_string",	XT_S_STR, 0, NULL, NULL,&s_gnutls_priority_string, NULL, NULL, check_gnutls_search_string, TT_GNUTLS_PRIORITY_STRING },
 	{ "guess_search",		XT_S_BOOL, 0,		&guess_search, NULL, NULL, NULL, set_guess_search, check_guess_search, TT_GUESS_SEARCH },
 	{ "gui_mode",			XT_S_STR, 0, NULL, NULL,&s_gui_mode, NULL, NULL, check_gui_mode, TT_GUI_MODE },
 	{ "history_autosave",		XT_S_BOOL, 0,		&history_autosave, NULL, NULL, NULL, NULL, check_history_autosave, TT_HISTORY_AUTOSAVE },
@@ -2444,6 +2457,26 @@ check_encoding(char **tt)
 }
 
 int
+check_gnutls_search_string(char **tt)
+{
+	*tt = g_strdup("Default: (empty)");
+	return (g_strcmp0(gnutls_priority_string,
+	    XT_DS_GNUTLS_PRIORITY_STRING));
+}
+
+int
+set_gnutls_priority_string(struct settings *s, char *value)
+{
+	return (!g_setenv("G_TLS_GNUTLS_PRIORITY", value, FALSE));
+}
+
+char *
+get_gnutls_priority_string(struct settings *s)
+{
+	return (g_strdup(g_getenv("G_TLS_GNUTLS_PRIORITY")));
+}
+
+int
 set_guess_search(char *value)
 {
 	int			tmp;
diff --git a/xombrero.1 b/xombrero.1
index 3fd634d..95472f6 100644
--- a/xombrero.1
+++ b/xombrero.1
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 15 2012 $
+.Dd $Mdocdate: August 21 2012 $
 .Dt XOMBRERO 1
 .Os
 .Sh NAME
@@ -1266,6 +1266,21 @@ instead.
 See
 .Cm cookie_wl
 for semantics.
+.It Cm gnutls_priority_string
+If set, this string sets the G_TLS_GNUTLS_PRIORITY environmental
+variable to define the GnuTLS priority string that is used when
+initializing the GnuTLS session.
+This may be used to change the supported TLS/SSL versions and the
+ciphers that are used when making HTTPS connections.
+.Pp
+Full details on how to modify this setting may be found in the
+.Lk http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html "GnuTLS documentation" .
+For example, to disable the 128-bit RC4 cipher, change this setting to
+.Pa NORMAL:!ARCFOUR-128 .
+.Pp
+If your glib-networking package is older than version 2.33.10, or if
+the G_TLS_GNUTLS_PRIORITY environmental variable is already set, this
+setting has no effect.
 .It Cm guess_search
 When enabled
 .Nm
diff --git a/xombrero.conf b/xombrero.conf
index f04eddb..14bce15 100644
--- a/xombrero.conf
+++ b/xombrero.conf
@@ -189,6 +189,7 @@
 # resource_dir		= /usr/local/share/xombrero/
 # refresh_interval	= 10
 # url_regex		= ^[[:blank:]]*[^[:blank:]]*([[:alnum:]-]+\.)+[[:alnum:]-][^[:blank:]]*[[:blank:]]*$
+# gnutls_priority_string = NORMAL:%COMPAT
 
 # NOTE: webkit 1.4.x overwrites these values!
 # max_host_connections	= 5
diff --git a/xombrero.h b/xombrero.h
index 5853bf4..827eb07 100644
--- a/xombrero.h
+++ b/xombrero.h
@@ -663,6 +663,7 @@ int		command_mode(struct tab *, struct karg *);
 #define XT_DS_RESOURCE_DIR	("/usr/local/share/xombrero")
 #define XT_DS_DO_NOT_TRACK	(0)
 #define XT_DS_PRELOAD_STRICT_TRANSPORT	(1)
+#define XT_DS_GNUTLS_PRIORITY_STRING	(NULL)
 
 
 /* actions */
@@ -918,6 +919,7 @@ extern int	allow_insecure_content;
 extern int	allow_insecure_scripts;
 extern int	do_not_track;
 extern int	preload_strict_transport;
+extern char	*gnutls_priority_string;
 
 /* globals */
 extern void		(*os_init)(void);