faraphel/chrony
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nts: disable TLS 1.2 on server

Browse source 
It seems gnutls (at least in version 3.6.14) allows clients to connect
using TLS1.2 when it has a DTLS version enabled in the priority cache.

Disable all DTLS versions in order to disable TLS1.2.
This commit is contained in:
Miroslav Lichvar 2020-07-28 12:13:17 +02:00
parent d48f012809
commit 3096926547
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
nts_ke_session.c
View file

@ -604,7 +604,7 @@ init_gnutls(void)
/* Prepare a priority cache for server and client NTS-KE sessions /* Prepare a priority cache for server and client NTS-KE sessions
(the NTS specification requires TLS1.3 or later) */ (the NTS specification requires TLS1.3 or later) */
r = gnutls_priority_init2(&priority_cache, r = gnutls_priority_init2(&priority_cache,
"-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2", "-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-DTLS-ALL",
NULL, GNUTLS_PRIORITY_INIT_DEF_APPEND); NULL, GNUTLS_PRIORITY_INIT_DEF_APPEND);
if (r < 0) if (r < 0)
LOG_FATAL("Could not initialise %s : %s", "priority cache", gnutls_strerror(r)); LOG_FATAL("Could not initialise %s : %s", "priority cache", gnutls_strerror(r));