Stop setting G_TLS_GNUTLS_PRIORITY in web process, because the network process is mandatory nowadays and the web process should not be performing any networking. Currently some media elements bits that perform networking in the web process are probably affected by this, but that's a bug that should be handled separately.
Created attachment 310202 [details] Patch
(In reply to Michael Catanzaro from comment #0) > Stop setting G_TLS_GNUTLS_PRIORITY in web process, because the network > process is mandatory nowadays and the web process should not be performing > any networking. > > Currently some media elements bits that perform networking in the web > process are probably affected by this, but that's a bug that should be > handled separately. And the appcache manifest downloads.
Comment on attachment 310202 [details] Patch So we cannot do this yet.
(In reply to Michael Catanzaro from comment #3) > So we cannot do this yet. I wonder why. This is actually reducing security nowadays by defeating my attempts to change glib-networking's base priority so it needs to go.
Created attachment 379264 [details] Patch
Downside of this is it will reenable RC4 for LTS distros still using GnuTLS 3.5 or earlier, but we shouldn't be reducing security for modern distros for the benefit of old ones.
Comment on attachment 379264 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=379264&action=review Just one question below… > Source/WebKit/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp:-46 > - setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0:!ARCFOUR-128", 0); Instead of weakening security for users of LTS distributions, I would rather use: if (!gnutls_check_version_numeric(3, 6, 0)) setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0:!ARCFOUR-128", 0); Is there some reason to not use this suggestion?
(In reply to Adrian Perez from comment #7) > Is there some reason to not use this suggestion? It's nice to remove yucky workarounds from the code. I don't see many distros with old GnuTLS upgrading to our 2.26 anyway, and they should patch GnuTLS to adjust available ciphersuites regardless.
(In reply to Michael Catanzaro from comment #8) > (In reply to Adrian Perez from comment #7) > > Is there some reason to not use this suggestion? > > It's nice to remove yucky workarounds from the code. Indeed, it is! > I don't see many distros with old GnuTLS upgrading to our 2.26 anyway, and > they should patch GnuTLS to adjust available ciphersuites regardless. Fair enough, let's go ahead with this cleanup then 👍
Also, stronger reason: WebKit cannot link directly to GnuTLS or know that it is using GnuTLS under the hood.
Comment on attachment 379264 [details] Patch Clearing flags on attachment: 379264 Committed r250217: <https://trac.webkit.org/changeset/250217>
All reviewed patches have been landed. Closing bug.
*** Bug 158785 has been marked as a duplicate of this bug. ***