From 1962c03b799b9d9faac5a60c59abb059230f3c8e Mon Sep 17 00:00:00 2001
From: Bruno Pagani <bruno.n.pagani@gmail.com>
Date: Sun, 23 Dec 2018 11:31:27 +0000
Subject: [PATCH 1/2] context: remove TLS13 cipher from cipher_list

TLS 1.3 ciphers have to be set in ciphersuites instead.
---
 src/context.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/context.c b/src/context.c
index d952d8d6..1429d5e4 100644
--- a/src/context.c
+++ b/src/context.c
@@ -1469,8 +1469,7 @@ static char const * const _getdns_default_trust_anchors_verify_email =
     "dnssec@iana.org";
 
 static char const * const _getdns_default_tls_cipher_list =
-    "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:"
-    "TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20";
+    "EECDH+AESGCM:EECDH+CHACHA20";
 
 static char const * const _getdns_default_tls_ciphersuites =
   "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";

From bbe7dff25748455852128196fd7ce4fee0b4e60f Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 31 Dec 2018 16:13:20 +0100
Subject: [PATCH 2/2] No TLS1.3 ciphers in cipher_list only when ...

SSL_set_ciphersuites in OpenSSL API.
---
 src/context.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/context.c b/src/context.c
index 1429d5e4..825d6309 100644
--- a/src/context.c
+++ b/src/context.c
@@ -1468,7 +1468,12 @@ static char const * const _getdns_default_trust_anchors_verify_CA =
 static char const * const _getdns_default_trust_anchors_verify_email =
     "dnssec@iana.org";
 
+
 static char const * const _getdns_default_tls_cipher_list =
+#ifndef HAVE_SSL_CTX_SET_CIPHERSUITES
+    "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:"
+    "TLS13-CHACHA20-POLY1305-SHA256:"
+#endif
     "EECDH+AESGCM:EECDH+CHACHA20";
 
 static char const * const _getdns_default_tls_ciphersuites =