From 4a504c4e5bf25942dda2538677250e0255ae769e Mon Sep 17 00:00:00 2001
From: Mike Crowe <mac@mcrowe.com>
Date: Thu, 30 Jan 2025 19:59:32 +0000
Subject: [PATCH] GnuTLS: Disable TLS 1.3 if instructed

Ensure that if TLS 1.3 is disabled (which is the default currently),
GnuTLS is told to disable support for it too. Some RADIUS servers
apparently object to downgrading from TLS 1.3 to TLS 1.2 later even
though FreeRADIUS doesn't seem to mind in my testing.

Signed-off-by: Mike Crowe <mac@mcrowe.com>
---
 src/crypto/tls_gnutls.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c
index e3f5b5a422..378bebbd7b 100644
--- a/src/crypto/tls_gnutls.c
+++ b/src/crypto/tls_gnutls.c
@@ -410,15 +410,18 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 
 	if (params->flags & (TLS_CONN_DISABLE_TLSv1_0 |
 			     TLS_CONN_DISABLE_TLSv1_1 |
-			     TLS_CONN_DISABLE_TLSv1_2)) {
+			     TLS_CONN_DISABLE_TLSv1_2 |
+			     TLS_CONN_DISABLE_TLSv1_3)) {
 		os_snprintf(prio_buf, sizeof(prio_buf),
-			    "NORMAL:-VERS-SSL3.0%s%s%s",
+			    "NORMAL:-VERS-SSL3.0%s%s%s%s",
 			    params->flags & TLS_CONN_DISABLE_TLSv1_0 ?
 			    ":-VERS-TLS1.0" : "",
 			    params->flags & TLS_CONN_DISABLE_TLSv1_1 ?
 			    ":-VERS-TLS1.1" : "",
 			    params->flags & TLS_CONN_DISABLE_TLSv1_2 ?
-			    ":-VERS-TLS1.2" : "");
+			    ":-VERS-TLS1.2" : "",
+			    params->flags & TLS_CONN_DISABLE_TLSv1_3 ?
+			    ":-VERS-TLS1.3" : "");
 		prio = prio_buf;
 	}
 
-- 
2.47.2