resolved: support TLS 1.3 when using GnuTLS for DNS-over-TLS

author Iwan Timmer <irtimmer@gmail.com>

Mon, 17 Jun 2019 19:24:05 +0000 (21:24 +0200)

committer Iwan Timmer <iwan.timmer@northwave.nl>

Wed, 19 Jun 2019 11:10:44 +0000 (13:10 +0200)
author Iwan Timmer <irtimmer@gmail.com>
Mon, 17 Jun 2019 19:24:05 +0000 (21:24 +0200)
committer Iwan Timmer <iwan.timmer@northwave.nl>
Wed, 19 Jun 2019 11:10:44 +0000 (13:10 +0200)
diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c

index 6eef6117a3ae7a1067a3b6f9d080224408c25496..06d635fcc444f77302398131a50d660846269965 100644 (file)
--- a/src/resolve/resolved-dnstls-gnutls.c
+++ b/src/resolve/resolved-dnstls-gnutls.c
@@ -9,6 +9,11 @@
  #include "resolved-dns-stream.h"
  #include "resolved-dnstls.h"
  
+#if GNUTLS_VERSION_NUMBER >= 0x030600
+#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3"
+#else
+#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.2"
+#endif
  DEFINE_TRIVIAL_CLEANUP_FUNC(gnutls_session_t, gnutls_deinit);
  
  static ssize_t dnstls_stream_writev(gnutls_transport_ptr_t p, const giovec_t *iov, int iovcnt) {
@@ -37,7 +42,7 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
                  return r;
  
          /* As DNS-over-TLS is a recent protocol, older TLS versions can be disabled */
-        r = gnutls_priority_set_direct(gs, "NORMAL:-VERS-ALL:+VERS-TLS1.2", NULL);
+        r = gnutls_priority_set_direct(gs, PRIORTY_STRING, NULL);
          if (r < 0)
                  return r;
author	Iwan Timmer <irtimmer@gmail.com>
	Mon, 17 Jun 2019 19:24:05 +0000 (21:24 +0200)
committer	Iwan Timmer <iwan.timmer@northwave.nl>
	Wed, 19 Jun 2019 11:10:44 +0000 (13:10 +0200)