From 967ee481e893fd77ff8ca896188e20e425331bf2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
Date: Wed, 20 Apr 2016 13:12:57 +0200
Subject: [PATCH] download: Add "%COMPAT" to the priority string.

Fixes <http://bugs.gnu.org/23311>.

* guix/build/download.scm (tls-wrap): Add 'set-session-priorities!' call.
---
 guix/build/download.scm | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/guix/build/download.scm b/guix/build/download.scm
index bd354a6985..e00fa04e35 100644
--- a/guix/build/download.scm
+++ b/guix/build/download.scm
@@ -274,6 +274,13 @@ host name without trailing dot."
 
     (set-session-transport-fd! session (fileno port))
     (set-session-default-priority! session)
+
+    ;; The "%COMPAT" bit allows us to work around firewall issues (info
+    ;; "(gnutls) Priority Strings"); see <http://bugs.gnu.org/23311>.
+    ;; Explicitly disable SSLv3, which is insecure:
+    ;; <https://tools.ietf.org/html/rfc7568>.
+    (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0")
+
     (set-session-credentials! session (make-certificate-credentials))
 
     ;; Uncomment the following lines in case of debugging emergency.