Advertise TLS1.0 not SSL3.0 in GnuTLS ClientHello

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/gnutls.c b/gnutls.c
index f4c0f6d..92cca08 100644 (file)
--- a/gnutls.c
+++ b/gnutls.c
@@ -1739,7 +1739,14 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
        if (vpninfo->my_pkey == OPENCONNECT_TPM_PKEY)
                gnutls_sign_callback_set(vpninfo->https_sess, gtls2_tpm_sign_cb, vpninfo);
 #endif
-       err = gnutls_priority_set_direct (vpninfo->https_sess, "NONE:+VERS-TLS1.0:+SHA1:+AES-128-CBC:+RSA:+COMP-NULL:%COMPAT:%DISABLE_SAFE_RENEGOTIATION", NULL);
+
+       err = gnutls_priority_set_direct (vpninfo->https_sess,
+                                         "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:"
+#if GNUTLS_VERSION_MAJOR >= 3
+                                         "-CURVE-ALL:"
+#endif
+                                         "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION",
+                                         NULL);
        if (err) {
                vpn_progress(vpninfo, PRG_ERR,
                             _("Failed to set TLS priority string: %s\n"),

diff --git a/www/changelog.xml b/www/changelog.xml
index 820cf81..3f1fe23 100644 (file)
--- a/www/changelog.xml
+++ b/www/changelog.xml
@@ -18,6 +18,7 @@
    <li><b>OpenConnect HEAD</b>
      <ul>
        <li>Support more ciphers for OpenSSL encrypted PEM keys, with GnuTLS.</li>
+       <li>Fix GnuTLS compatibilty issue with servers that insist on TLSv1.0 <a href="https://bugzilla.redhat.com/show_bug.cgi?id=836558"><i>(RH#836558)</i></a>.</li>
      </ul><br/>
   </li>
   <li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-4.02.tar.gz">OpenConnect v4.02</a></b>