I found gnutls_certificate_set_x509_trust_(file|dir)(), so it's a lot
easier than I feared. Plus a little diggiing shows that if you're
loading the system defaults, GnuTLS on Windows does load them from the
Windows certificate store.
The previous default cipher string wouldn't connect with getdnsapi.
Selection of cipher strings requires some deep study, I think.
So, taking working with getdnsapi.net as our target, discover that we
need SECURE128 as well as SECURE192. And rather than disable everything
except TLS1.2, disable TLS1.0 and TLS1.1. This should mean it connects
to TLS1.3.
Set the priority string to a concatenation of the connection cipher and curve strings, falling back to the context ones if the connection value isn't specified. Also get context.c to specify NULL for default context list and the opportunistic list for the connection, moving these library-specific quantities into the specific implementation.
Add a flag to the context (so, it's actually got something useful there!) and check the connection version on a successful handshake.
This means we need to access the context from a connection, so add a pointer to the context to the connection.
Jim Hague
Jim Hague