Relax GnuTLS priority strings slightly to allow getdns to work with TLS1.3 servers.

Now GnuTLS 3.6.5 and later are in the field, we've run into problems handshaking with TLS1.3 servers with a GnuTLS build. OpenSSL works fine. Comparing the client handshake of GnuTLS and OpenSSL, we found GnuTLS was being considerably more restrictive. This change loosens the restriction so GnuTLS presents nearly the same set of cipher and other options and OpenSSL. OpenSSL provides more signature algorithms. The change gets GetDNS working against Quad1, Quad8, Quad9 and the getdnsapi servers.
This commit is contained in:
Jim Hague 2020-03-05 13:24:44 +00:00
parent e96e334932
commit 9baf655a7b
1 changed files with 6 additions and 2 deletions

View File

@ -5,7 +5,7 @@
*/
/*
* Copyright (c) 2018-2019, NLnet Labs
* Copyright (c) 2018-2020, NLnet Labs
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@ -102,7 +102,7 @@ static int set_connection_ciphers(_getdns_tls_connection* conn)
char* pri = NULL;
int res;
pri = getdns_priappend(conn->mfs, pri, "NONE:+COMP-ALL:+SIGN-RSA-SHA384");
pri = getdns_priappend(conn->mfs, pri, "NONE:+COMP-ALL:+SIGN-ALL");
if (conn->cipher_suites)
pri = getdns_priappend(conn->mfs, pri, conn->cipher_suites);
@ -119,7 +119,11 @@ static int set_connection_ciphers(_getdns_tls_connection* conn)
else if (conn->ctx->curve_list)
pri = getdns_priappend(conn->mfs, pri, conn->ctx->curve_list);
else
#if GNUTLS_VERSION_NUMBER >= 0x030605
pri = getdns_priappend(conn->mfs, pri, "+GROUP-EC-ALL");
#else
pri = getdns_priappend(conn->mfs, pri, "+CURVE-ALL");
#endif
gnutls_protocol_t min = conn->min_tls;
gnutls_protocol_t max = conn->max_tls;