From: Stefan Eissing <stefan@eissing.org>
Date: Fri, 5 Dec 2025 14:38:12 +0000 (+0100)
Subject: gnutls: add PROFILE_MEDIUM as default
X-Git-Tag: rc-8_18_0-2~100
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=96ba7a79fc561ef8e7bedafacb70d9659224ee1f;p=thirdparty%2Fcurl.git

gnutls: add PROFILE_MEDIUM as default

Raise the default GnuTLS priority settings by adding PROFILE_MEDIUM for
more secure connection handling.

Reported-by: Harry Sintonen
Closes #19853
---

diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 667b09c119..c7f8f34673 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -305,16 +305,17 @@ static gnutls_x509_crt_fmt_t gnutls_do_file_type(const char *type)
   return GNUTLS_X509_FMT_PEM; /* default to PEM */
 }
 
-#define GNUTLS_CIPHERS "NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509"
+#define GNUTLS_CIPHERS "NORMAL:%PROFILE_MEDIUM:-ARCFOUR-128:"\
+  "-CTYPE-ALL:+CTYPE-X509"
 /* If GnuTLS was compiled without support for SRP it will error out if SRP is
    requested in the priority string, so treat it specially
  */
 #define GNUTLS_SRP "+SRP"
 
 #define QUIC_PRIORITY \
-  "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+AES-256-GCM:" \
-  "+CHACHA20-POLY1305:+AES-128-CCM:-GROUP-ALL:+GROUP-SECP256R1:" \
-  "+GROUP-X25519:+GROUP-SECP384R1:+GROUP-SECP521R1:" \
+  "NORMAL:%PROFILE_MEDIUM:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:" \
+  "+AES-256-GCM:+CHACHA20-POLY1305:+AES-128-CCM:-GROUP-ALL:" \
+  "+GROUP-SECP256R1:+GROUP-X25519:+GROUP-SECP384R1:+GROUP-SECP521R1:" \
   "%DISABLE_TLS13_COMPAT_MODE"
 
 static CURLcode