Improve GnuTLS compatibility options

TLSv1.0, no safe renegotiation, no padding.

For some reason, large amounts of padding are causing the Intel servers to
kick me off — although gnutls-cli is allowed to use large amounts of padding
with getting disconnected, and I can't see *why* there's a difference.

So there's something else odd going on here, and disabling padding is just
a workaround. I bet I forget about this, and I bet it comes back to bite
me one day. And it'll serve me right for being lazy and not following it
up properly right now. But still, there's plenty more GnuTLS porting work
to be done and I've spent long enough staring at packet traces already
today.

Disable safe renegotiation because we've previously observed that some
servers are behind crappy firewalls that'll block *any* extension.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/gnutls.c b/gnutls.c
index 35ec9e8..c07fb06 100644 (file)
--- a/gnutls.c
+++ b/gnutls.c
@@ -662,8 +662,15 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 
        }
        gnutls_init (&vpninfo->https_sess, GNUTLS_CLIENT);
-       gnutls_priority_set_direct (vpninfo->https_sess, "NORMAL", NULL);
+       err = gnutls_priority_set_direct (vpninfo->https_sess, "NONE:+VERS-TLS1.0:+SHA1:+AES-128-CBC:+RSA:+COMP-NULL:%COMPAT:%DISABLE_SAFE_RENEGOTIATION", NULL);
+       if (err) {
+               vpn_progress(vpninfo, PRG_ERR,
+                            _("Failed to set TLS priority string: %s\n"),
+                            gnutls_strerror(err));
+               return -EIO;
+       }
 
+       gnutls_record_disable_padding (vpninfo->https_sess);
        workaround_openssl_certchain_bug(vpninfo);
        gnutls_credentials_set (vpninfo->https_sess, GNUTLS_CRD_CERTIFICATE, vpninfo->https_cred);
        gnutls_transport_set_ptr(vpninfo->https_sess, /* really? */(gnutls_transport_ptr_t)(long) ssl_sock);