From: Mike Crowe <mac@mcrowe.com>
Date: Thu, 30 Jan 2025 19:59:32 +0000 (+0000)
Subject: GnuTLS: Disable TLS 1.3 if instructed
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a504c4e5bf25942dda2538677250e0255ae769e;p=thirdparty%2Fhostap.git

GnuTLS: Disable TLS 1.3 if instructed

Ensure that if TLS 1.3 is disabled (which is the default currently),
GnuTLS is told to disable support for it too. Some RADIUS servers
apparently object to downgrading from TLS 1.3 to TLS 1.2 later even
though FreeRADIUS doesn't seem to mind in my testing.

Signed-off-by: Mike Crowe <mac@mcrowe.com>
---

diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c
index e3f5b5a42..378bebbd7 100644
--- a/src/crypto/tls_gnutls.c
+++ b/src/crypto/tls_gnutls.c
@@ -410,15 +410,18 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 
 	if (params->flags & (TLS_CONN_DISABLE_TLSv1_0 |
 			     TLS_CONN_DISABLE_TLSv1_1 |
-			     TLS_CONN_DISABLE_TLSv1_2)) {
+			     TLS_CONN_DISABLE_TLSv1_2 |
+			     TLS_CONN_DISABLE_TLSv1_3)) {
 		os_snprintf(prio_buf, sizeof(prio_buf),
-			    "NORMAL:-VERS-SSL3.0%s%s%s",
+			    "NORMAL:-VERS-SSL3.0%s%s%s%s",
 			    params->flags & TLS_CONN_DISABLE_TLSv1_0 ?
 			    ":-VERS-TLS1.0" : "",
 			    params->flags & TLS_CONN_DISABLE_TLSv1_1 ?
 			    ":-VERS-TLS1.1" : "",
 			    params->flags & TLS_CONN_DISABLE_TLSv1_2 ?
-			    ":-VERS-TLS1.2" : "");
+			    ":-VERS-TLS1.2" : "",
+			    params->flags & TLS_CONN_DISABLE_TLSv1_3 ?
+			    ":-VERS-TLS1.3" : "");
 		prio = prio_buf;
 	}