From 9baf655a7bc666773152fee553105807ad9fcbc0 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 5 Mar 2020 13:24:44 +0000 Subject: [PATCH] Relax GnuTLS priority strings slightly to allow getdns to work with TLS1.3 servers. Now GnuTLS 3.6.5 and later are in the field, we've run into problems handshaking with TLS1.3 servers with a GnuTLS build. OpenSSL works fine. Comparing the client handshake of GnuTLS and OpenSSL, we found GnuTLS was being considerably more restrictive. This change loosens the restriction so GnuTLS presents nearly the same set of cipher and other options and OpenSSL. OpenSSL provides more signature algorithms. The change gets GetDNS working against Quad1, Quad8, Quad9 and the getdnsapi servers. --- src/gnutls/tls.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index 88153d73..9b11e9b3 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -5,7 +5,7 @@ */ /* - * Copyright (c) 2018-2019, NLnet Labs + * Copyright (c) 2018-2020, NLnet Labs * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -102,7 +102,7 @@ static int set_connection_ciphers(_getdns_tls_connection* conn) char* pri = NULL; int res; - pri = getdns_priappend(conn->mfs, pri, "NONE:+COMP-ALL:+SIGN-RSA-SHA384"); + pri = getdns_priappend(conn->mfs, pri, "NONE:+COMP-ALL:+SIGN-ALL"); if (conn->cipher_suites) pri = getdns_priappend(conn->mfs, pri, conn->cipher_suites); @@ -119,7 +119,11 @@ static int set_connection_ciphers(_getdns_tls_connection* conn) else if (conn->ctx->curve_list) pri = getdns_priappend(conn->mfs, pri, conn->ctx->curve_list); else +#if GNUTLS_VERSION_NUMBER >= 0x030605 + pri = getdns_priappend(conn->mfs, pri, "+GROUP-EC-ALL"); +#else pri = getdns_priappend(conn->mfs, pri, "+CURVE-ALL"); +#endif gnutls_protocol_t min = conn->min_tls; gnutls_protocol_t max = conn->max_tls;