From e8f34d48fb13b3d3c9141e7f5e319757e89b9ddc Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 13 Dec 2018 12:04:01 +0000 Subject: [PATCH] Adjust default cipher list so required authentication works with getdnsapi. The previous default cipher string wouldn't connect with getdnsapi. Selection of cipher strings requires some deep study, I think. So, taking working with getdnsapi.net as our target, discover that we need SECURE128 as well as SECURE192. And rather than disable everything except TLS1.2, disable TLS1.0 and TLS1.1. This should mean it connects to TLS1.3. --- src/gnutls/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index adfac78c..fe6fbc07 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -48,7 +48,7 @@ * a known working priority string. */ char const * const _getdns_tls_context_default_cipher_list = - "SECURE192:-VERS-ALL:+VERS-TLS1.2"; + "SECURE128:SECURE192:-VERS-TLS1.0:-VERS-TLS1.1"; static char const * const _getdns_tls_connection_opportunistic_cipher_list = "NORMAL";