>From 90111b6146429481a81e34dca8c3c684d74ce074 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Thu, 27 Jun 2013 17:36:53 +0200
Subject: [PATCH 3/3] When selecting TLS protocol options for GnuTLS set the
 same defaults as in openssl.

This change removes the protocol-weakening options (e.g., the disabling of
secure renegotiation, the removal of ECDHE ciphersuites, and the restriction
to the known to be weak TLS 1.0).

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 gnutls.c |    9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/gnutls.c b/gnutls.c
index 7ecf241..b58daf1 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -1751,8 +1751,7 @@ static int verify_peer(gnutls_session_t session)
 	return err;
 }
 
-#define DEFAULT_PRIO "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \
-			 "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION"
+#define DEFAULT_PRIO "NORMAL:-VERS-SSL3.0:%COMPAT"
 
 int openconnect_open_https(struct openconnect_info *vpninfo)
 {
@@ -1868,11 +1867,7 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 	if (vpninfo->pfs) {
 		prio = DEFAULT_PRIO":-RSA";
 	} else {
-		prio = DEFAULT_PRIO
-#if GNUTLS_VERSION_MAJOR >= 3
-			":-CURVE-ALL"
-#endif
-		;
+		prio = DEFAULT_PRIO;
 	}
 
 	err = gnutls_priority_set_direct(vpninfo->https_sess,
-- 
1.7.10.4