[PATCH 5/6] When selecting TLS protocol options for GnuTLS set the same defaults as in openssl.
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sat Nov 23 12:58:41 EST 2013
This change removes the protocol-weakening options (e.g., the disabling of
secure renegotiation, the removal of ECDHE ciphersuites, and the restriction
to the known to be weak TLS 1.0).
Signed-off-by: Nikos Mavrogiannopoulos <nmav at gnutls.org>
---
gnutls.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/gnutls.c b/gnutls.c
index d25ec23..2d9ac74 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -1801,8 +1801,7 @@ static int verify_peer(gnutls_session_t session)
return err;
}
-#define DEFAULT_PRIO "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \
- "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION"
+#define DEFAULT_PRIO "NORMAL:-VERS-SSL3.0:%COMPAT"
int openconnect_open_https(struct openconnect_info *vpninfo)
{
@@ -1918,11 +1917,7 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
if (vpninfo->pfs) {
prio = DEFAULT_PRIO":-RSA";
} else {
- prio = DEFAULT_PRIO
-#if GNUTLS_VERSION_MAJOR >= 3
- ":-CURVE-ALL"
-#endif
- ;
+ prio = DEFAULT_PRIO;
}
err = gnutls_priority_set_direct(vpninfo->https_sess,
More information about the openconnect-devel
mailing list