From e3d306ce6d51f1c106b0b0e772e2fce41c97a289 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vladimir.cunat@nic.cz>
Date: Fri, 8 Jun 2018 12:20:16 +0200
Subject: [PATCH] daemon/tls: make gnutls_priority stricter

Otherwise CentOS 7 enables those two "ciphers" by default.
Noticed in #355.
---
 daemon/tls.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/daemon/tls.c b/daemon/tls.c
index c09fac5b0..3e1562211 100644
--- a/daemon/tls.c
+++ b/daemon/tls.c
@@ -59,7 +59,9 @@ static int kres_gnutls_set_priority(gnutls_session_t session) {
 	static const char * const priorities =
 		"NORMAL:" /* GnuTLS defaults */
 		"-VERS-TLS1.0:-VERS-TLS1.1:" /* TLS 1.2 and higher */
-		"-COMP-ALL:+COMP-NULL"; /* no compression*/
+		 /* Some distros by default allow features that are considered
+		  * too insecure nowadays, so let's disable them explicitly. */
+		"-VERS-SSL3.0:-ARCFOUR-128:-COMP-ALL:+COMP-NULL";
 	const char *errpos = NULL;
 	int err = gnutls_priority_set_direct(session, priorities, &errpos);
 	if (err != GNUTLS_E_SUCCESS) {
-- 
2.47.3