mirror of https://github.com/getdnsapi/getdns.git
Relax GnuTLS priority strings slightly to allow getdns to work with TLS1.3 servers.
Now GnuTLS 3.6.5 and later are in the field, we've run into problems handshaking with TLS1.3 servers with a GnuTLS build. OpenSSL works fine. Comparing the client handshake of GnuTLS and OpenSSL, we found GnuTLS was being considerably more restrictive. This change loosens the restriction so GnuTLS presents nearly the same set of cipher and other options and OpenSSL. OpenSSL provides more signature algorithms. The change gets GetDNS working against Quad1, Quad8, Quad9 and the getdnsapi servers.
This commit is contained in:
parent
e96e334932
commit
9baf655a7b
|
@ -5,7 +5,7 @@
|
|||
*/
|
||||
|
||||
/*
|
||||
* Copyright (c) 2018-2019, NLnet Labs
|
||||
* Copyright (c) 2018-2020, NLnet Labs
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
|
@ -102,7 +102,7 @@ static int set_connection_ciphers(_getdns_tls_connection* conn)
|
|||
char* pri = NULL;
|
||||
int res;
|
||||
|
||||
pri = getdns_priappend(conn->mfs, pri, "NONE:+COMP-ALL:+SIGN-RSA-SHA384");
|
||||
pri = getdns_priappend(conn->mfs, pri, "NONE:+COMP-ALL:+SIGN-ALL");
|
||||
|
||||
if (conn->cipher_suites)
|
||||
pri = getdns_priappend(conn->mfs, pri, conn->cipher_suites);
|
||||
|
@ -119,7 +119,11 @@ static int set_connection_ciphers(_getdns_tls_connection* conn)
|
|||
else if (conn->ctx->curve_list)
|
||||
pri = getdns_priappend(conn->mfs, pri, conn->ctx->curve_list);
|
||||
else
|
||||
#if GNUTLS_VERSION_NUMBER >= 0x030605
|
||||
pri = getdns_priappend(conn->mfs, pri, "+GROUP-EC-ALL");
|
||||
#else
|
||||
pri = getdns_priappend(conn->mfs, pri, "+CURVE-ALL");
|
||||
#endif
|
||||
|
||||
gnutls_protocol_t min = conn->min_tls;
|
||||
gnutls_protocol_t max = conn->max_tls;
|
||||
|
|
Loading…
Reference in New Issue