nts: disable TLS 1.2 on server

It seems gnutls (at least in version 3.6.14) allows clients to connect
using TLS1.2 when it has a DTLS version enabled in the priority cache.

Disable all DTLS versions in order to disable TLS1.2.

diff --git a/nts_ke_session.c b/nts_ke_session.c
index 83cad3ca05f482eb0ad6041811df967acc301f4e..45ebda89c691bfdb0e6ac73163243848176224ed 100644 (file)
--- a/nts_ke_session.c
+++ b/nts_ke_session.c
@@ -604,7 +604,7 @@ init_gnutls(void)
   /* Prepare a priority cache for server and client NTS-KE sessions
      (the NTS specification requires TLS1.3 or later) */
   r = gnutls_priority_init2(&priority_cache,
-                            "-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2",
+                            "-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-DTLS-ALL",
                             NULL, GNUTLS_PRIORITY_INIT_DEF_APPEND);
   if (r < 0)
     LOG_FATAL("Could not initialise %s : %s", "priority cache", gnutls_strerror(r));