GnuTLS: Disable TLS 1.3 if instructed

Ensure that if TLS 1.3 is disabled (which is the default currently),
GnuTLS is told to disable support for it too. Some RADIUS servers
apparently object to downgrading from TLS 1.3 to TLS 1.2 later even
though FreeRADIUS doesn't seem to mind in my testing.

Signed-off-by: Mike Crowe <mac@mcrowe.com>

diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c
index e3f5b5a4227c05d8ab9fe0fd0ca02fb38484f6c0..378bebbd7ba4bb9e032fcf2ee9c6ceacc6e775d7 100644 (file)
--- a/src/crypto/tls_gnutls.c
+++ b/src/crypto/tls_gnutls.c
@@ -410,15 +410,18 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 
        if (params->flags & (TLS_CONN_DISABLE_TLSv1_0 |
                             TLS_CONN_DISABLE_TLSv1_1 |
-                            TLS_CONN_DISABLE_TLSv1_2)) {
+                            TLS_CONN_DISABLE_TLSv1_2 |
+                            TLS_CONN_DISABLE_TLSv1_3)) {
                os_snprintf(prio_buf, sizeof(prio_buf),
-                           "NORMAL:-VERS-SSL3.0%s%s%s",
+                           "NORMAL:-VERS-SSL3.0%s%s%s%s",
                            params->flags & TLS_CONN_DISABLE_TLSv1_0 ?
                            ":-VERS-TLS1.0" : "",
                            params->flags & TLS_CONN_DISABLE_TLSv1_1 ?
                            ":-VERS-TLS1.1" : "",
                            params->flags & TLS_CONN_DISABLE_TLSv1_2 ?
-                           ":-VERS-TLS1.2" : "");
+                           ":-VERS-TLS1.2" : "",
+                           params->flags & TLS_CONN_DISABLE_TLSv1_3 ?
+                           ":-VERS-TLS1.3" : "");
                prio = prio_buf;
        }