From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Fri, 8 Jun 2018 10:20:16 +0000 (+0200)
Subject: daemon/tls: make gnutls_priority stricter
X-Git-Tag: v2.4.0~25^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e3d306ce6d51f1c106b0b0e772e2fce41c97a289;p=thirdparty%2Fknot-resolver.git

daemon/tls: make gnutls_priority stricter

Otherwise CentOS 7 enables those two "ciphers" by default.
Noticed in #355.
---

diff --git a/daemon/tls.c b/daemon/tls.c
index c09fac5b0..3e1562211 100644
--- a/daemon/tls.c
+++ b/daemon/tls.c
@@ -59,7 +59,9 @@ static int kres_gnutls_set_priority(gnutls_session_t session) {
 	static const char * const priorities =
 		"NORMAL:" /* GnuTLS defaults */
 		"-VERS-TLS1.0:-VERS-TLS1.1:" /* TLS 1.2 and higher */
-		"-COMP-ALL:+COMP-NULL"; /* no compression*/
+		 /* Some distros by default allow features that are considered
+		  * too insecure nowadays, so let's disable them explicitly. */
+		"-VERS-SSL3.0:-ARCFOUR-128:-COMP-ALL:+COMP-NULL";
 	const char *errpos = NULL;
 	int err = gnutls_priority_set_direct(session, priorities, &errpos);
 	if (err != GNUTLS_E_SUCCESS) {