build: disable SRP authentication by default

SRP authentication in TLS is not up to date with the latest TLS
standards and its ciphersuites are based on the CBC mode and SHA-1.
This makes the feature disabled by default at compile time, though the
users are still be able to enable it with --enable-srp-authentication
configure option.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

diff --git a/NEWS b/NEWS
index cc5a064843732cd4b89f9ea67a74169005fe3a7f..a45cbc89e86ffd312b27c9f3bfc468a661d7308a 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,12 @@ and to simplify maintenance, see <https://gitlab.com/gnutls/guile/>.
    support for it, supply --enable-heartbeat-support to configure
    script.
 
+** libgnutls: SRP authentication is now disabled by default.
+   It is disabled because the SRP authentication in TLS is not up to
+   date with the latest TLS standards and its ciphersuites are based
+   on the CBC mode and SHA-1.  To enable it back, supply
+   --enable-srp-authentication option to configure script.
+
 ** minitasn1: Upgraded to libtasn1 version 4.19.
 
 ** API and ABI modifications:

diff --git a/m4/hooks.m4 b/m4/hooks.m4
index 10e23afc547ccc78c05bafa31ef33bed90e0737a..8ec1ac0eab4587cc9b89597840370937988c1285 100644 (file)
--- a/m4/hooks.m4
+++ b/m4/hooks.m4
@@ -246,11 +246,11 @@ LIBTASN1_MINIMUM=4.9
   fi
   AM_CONDITIONAL(ENABLE_HEARTBEAT, test "$ac_enable_heartbeat" != "no")
 
-  ac_enable_srp=yes
-  AC_MSG_CHECKING([whether to disable SRP authentication support])
+  ac_enable_srp=no
+  AC_MSG_CHECKING([whether to enable SRP authentication support])
   AC_ARG_ENABLE(srp-authentication,
-    AS_HELP_STRING([--disable-srp-authentication],
-                   [disable the SRP authentication support]),
+    AS_HELP_STRING([--enable-srp-authentication],
+                   [enable the SRP authentication support]),
     ac_enable_srp=$enableval)
   if test x$ac_enable_srp != xno; then
    AC_MSG_RESULT(no)