[CentOS] TLSv1.2 support for lftp on CentOS 6.x

Tue Aug 2 15:29:07 UTC 2016
Olivier BONHOMME <obonhomme at nerim.net>

On Tue, Aug 02, 2016 at 02:56:26PM +0000, Olivier BONHOMME wrote:
> Hello Tom,
> 
> It's indeed an interesting way. I didn't think about something just disabled. I
> browsed, gnutls rpm changelog and I saw this : 
> 
> * Thu May  3 2012 Tomas Mraz <tmraz at redhat.com> 2.8.5-7
> - more TLS-1.2 compatibility fixes (TLS-1.2 stays disabled by default)
> 
> So TLS 1.2 seems there but disabled by default : So maybe lftp can't use it
> because it can't force it.
> 
> I tried browsing the code and RPM patches but I was unable to find where this
> disable thing is.
> 
> Does anybody have an idea ?

Hello guy,

I think i found something. If we look into the upstream source provided in the
GNUTLS SRPM, we have on the file lib/gnutls_priority.c: 

static const int protocol_priority[] = {
  /* GNUTLS_TLS1_2, -- not finalized yet! */
  GNUTLS_TLS1_1,
  GNUTLS_TLS1_0,
  GNUTLS_SSL3,
  0
};

So I guess that if even if TLS1.2 is implemented in the CentOS version, the
default priority doesn't allow to use TLS1.2. 

And I think that lftp doesn't allow to force this priority, that's why I can't
use TLS1.2 and only at least TLS1.1.

So the question is: Is that behaviour can be considered as an lftp bug or not ?

Regards,
Olivier