From: Petr Špaček <petr.spacek@nic.cz>
Date: Thu, 18 Jan 2018 15:22:56 +0000 (+0100)
Subject: TLS: make GnuTLS priorities compatible with CentOS 7 and Debian 9
X-Git-Tag: v2.0.0~29^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a0c4003f82ce59f504f83462a90f62870e63eb86;p=thirdparty%2Fknot-resolver.git

TLS: make GnuTLS priorities compatible with CentOS 7 and Debian 9

gnutls-3.3.26-9.el7.x86_64 and libgnutls30-3.5.8-5+deb9u3 do not support
@SYSTEM keyword and CentOS 7 has problem with -VERS-DTLS-ALL.

We do not configure DTLS sockets so it should be harmless to delete
the DTLS keyword.

@SYSTEM is replaced by NORMAL, oh well.

fixup! TLS client: enforce minimal TLS version and no compression
---

diff --git a/daemon/tls.c b/daemon/tls.c
index 8a55feb6f..b8f286a32 100644
--- a/daemon/tls.c
+++ b/daemon/tls.c
@@ -81,8 +81,7 @@ static int client_verify_certificate(gnutls_session_t tls_session);
  */
 static int kres_gnutls_set_priority(gnutls_session_t session) {
 	static const char * const priorities =
-		"@SYSTEM:" /* GnuTLS system-wide settings */
-		"-VERS-DTLS-ALL:" /* we do not support DTLS yet */
+		"NORMAL:" /* GnuTLS defaults */
 		"-VERS-TLS1.0:-VERS-TLS1.1:" /* TLS 1.2 and higher */
 		"-COMP-ALL:+COMP-NULL"; /* no compression*/
 	const char *errpos = NULL;