From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Tue, 28 Jul 2020 10:13:17 +0000 (+0200)
Subject: nts: disable TLS 1.2 on server
X-Git-Tag: 4.0-pre3~36
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=30969265474140a4bc8c489ff79162afd59ecc82;p=thirdparty%2Fchrony.git

nts: disable TLS 1.2 on server

It seems gnutls (at least in version 3.6.14) allows clients to connect
using TLS1.2 when it has a DTLS version enabled in the priority cache.

Disable all DTLS versions in order to disable TLS1.2.
---

diff --git a/nts_ke_session.c b/nts_ke_session.c
index 83cad3ca..45ebda89 100644
--- a/nts_ke_session.c
+++ b/nts_ke_session.c
@@ -604,7 +604,7 @@ init_gnutls(void)
   /* Prepare a priority cache for server and client NTS-KE sessions
      (the NTS specification requires TLS1.3 or later) */
   r = gnutls_priority_init2(&priority_cache,
-                            "-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2",
+                            "-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-DTLS-ALL",
                             NULL, GNUTLS_PRIORITY_INIT_DEF_APPEND);
   if (r < 0)
     LOG_FATAL("Could not initialise %s : %s", "priority cache", gnutls_strerror(r));