From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Thu, 26 Mar 2020 14:18:08 +0000 (+0100)
Subject: nts: disable TLS version 1.2
X-Git-Tag: 4.0-pre2~26
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eedabb3d272dcaf5deb9ede02c59f7c81c1e903f;p=thirdparty%2Fchrony.git

nts: disable TLS version 1.2

Require TLS version 1.3 or later as specified in the latest NTS draft.
---

diff --git a/nts_ke_session.c b/nts_ke_session.c
index bd1b0012..28832738 100644
--- a/nts_ke_session.c
+++ b/nts_ke_session.c
@@ -551,8 +551,9 @@ init_gnutls(void)
   if (r < 0)
     LOG_FATAL("Could not initialise %s : %s", "gnutls", gnutls_strerror(r));
 
-  /* NTS specification requires TLS1.2 or later */
-  r = gnutls_priority_init2(&priority_cache, "-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1",
+  /* NTS specification requires TLS1.3 or later */
+  r = gnutls_priority_init2(&priority_cache,
+                            "-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2",
                             NULL, GNUTLS_PRIORITY_INIT_DEF_APPEND);
   if (r < 0)
     LOG_FATAL("Could not initialise %s : %s", "priority cache", gnutls_strerror(r));