From 30969265474140a4bc8c489ff79162afd59ecc82 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 28 Jul 2020 12:13:17 +0200 Subject: [PATCH] nts: disable TLS 1.2 on server It seems gnutls (at least in version 3.6.14) allows clients to connect using TLS1.2 when it has a DTLS version enabled in the priority cache. Disable all DTLS versions in order to disable TLS1.2. --- nts_ke_session.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nts_ke_session.c b/nts_ke_session.c index 83cad3c..45ebda8 100644 --- a/nts_ke_session.c +++ b/nts_ke_session.c @@ -604,7 +604,7 @@ init_gnutls(void) /* Prepare a priority cache for server and client NTS-KE sessions (the NTS specification requires TLS1.3 or later) */ r = gnutls_priority_init2(&priority_cache, - "-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2", + "-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-DTLS-ALL", NULL, GNUTLS_PRIORITY_INIT_DEF_APPEND); if (r < 0) LOG_FATAL("Could not initialise %s : %s", "priority cache", gnutls_strerror(r));