daemon/tls: make gnutls_priority stricter

Otherwise CentOS 7 enables those two "ciphers" by default.
Noticed in #355.

diff --git a/daemon/tls.c b/daemon/tls.c
index c09fac5b0cc383514689e17981e30f3dae077f9b..3e15622119d738f1b5b09a7f43a5cd5b6022580e 100644 (file)
--- a/daemon/tls.c
+++ b/daemon/tls.c
@@ -59,7 +59,9 @@ static int kres_gnutls_set_priority(gnutls_session_t session) {
        static const char * const priorities =
                "NORMAL:" /* GnuTLS defaults */
                "-VERS-TLS1.0:-VERS-TLS1.1:" /* TLS 1.2 and higher */
-               "-COMP-ALL:+COMP-NULL"; /* no compression*/
+                /* Some distros by default allow features that are considered
+                 * too insecure nowadays, so let's disable them explicitly. */
+               "-VERS-SSL3.0:-ARCFOUR-128:-COMP-ALL:+COMP-NULL";
        const char *errpos = NULL;
        int err = gnutls_priority_set_direct(session, priorities, &errpos);
        if (err != GNUTLS_E_SUCCESS) {