Ludovic Courtès <l...@gnu.org> writes:
>> This is an obvious merge blocker, help wanted! Disabling TLS1.3 in the >> priority string works as a last-resort workaround. > > Yes, that’s a stop-gap measure we should probably apply for now: > > diff --git a/guix/build/download.scm b/guix/build/download.scm > index c08221b3b2..23c9a4d466 100644 > --- a/guix/build/download.scm > +++ b/guix/build/download.scm > @@ -268,7 +268,10 @@ host name without trailing dot." > ;; "(gnutls) Priority Strings"); see <http://bugs.gnu.org/23311>. > ;; Explicitly disable SSLv3, which is insecure: > ;; <https://tools.ietf.org/html/rfc7568>. > - (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0") > + ;; > + ;; FIXME: Since we currently fail to handle TLS 1.3, remove it; see > + ;; <https://bugs.gnu.org/34102>. > + (set-session-priorities! session > "NORMAL:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.3") > > (set-session-credentials! session > (if (and verify-certificate? ca-certs) > > Any objections? I think it’s fine to do this to allow us to merge the staging branch before fixing the problem in the Guile bindings. -- Ricardo
