[PATCH] tls_gnutls: Disable TLS 1.3 if instructed
mac at mcrowe.com
mac at mcrowe.com
Thu Jan 30 11:59:32 PST 2025
From: Mike Crowe <mac at mcrowe.com>
Ensure that if TLS 1.3 is disabled (which is the default currently),
GnuTLS is told to disable support for it too. Some RADIUS servers
apparently object to downgrading from TLS 1.3 to TLS 1.2 later even
though FreeRADIUS doesn't seem to mind in my testing.
Signed-off-by: Mike Crowe <mac at mcrowe.com>
---
src/crypto/tls_gnutls.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c
index e3f5b5a42..bb050d19c 100644
--- a/src/crypto/tls_gnutls.c
+++ b/src/crypto/tls_gnutls.c
@@ -410,15 +410,18 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
if (params->flags & (TLS_CONN_DISABLE_TLSv1_0 |
TLS_CONN_DISABLE_TLSv1_1 |
- TLS_CONN_DISABLE_TLSv1_2)) {
+ TLS_CONN_DISABLE_TLSv1_2 |
+ TLS_CONN_DISABLE_TLSv1_3)) {
os_snprintf(prio_buf, sizeof(prio_buf),
- "NORMAL:-VERS-SSL3.0%s%s%s",
+ "NORMAL:-VERS-SSL3.0%s%s%s%s",
params->flags & TLS_CONN_DISABLE_TLSv1_0 ?
":-VERS-TLS1.0" : "",
params->flags & TLS_CONN_DISABLE_TLSv1_1 ?
":-VERS-TLS1.1" : "",
params->flags & TLS_CONN_DISABLE_TLSv1_2 ?
- ":-VERS-TLS1.2" : "");
+ ":-VERS-TLS1.2" : "",
+ params->flags & TLS_CONN_DISABLE_TLSv1_3 ?
+ ":-VERS-TLS1.3" : "");
prio = prio_buf;
}
--
2.39.5
More information about the Hostap
mailing list