build: disable TLS heartbeat extension by default

The heartbeat extension in TLS (RFC 6520) is not widely used given
other implementations dropped support for it. This makes it disabled
by default, though the users are able to enable it back with the
--enable-heartbeat-support configure option.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

2 files changed, 9 insertions, 3 deletions

diff --git a/NEWS b/NEWS
index b769566ba3..cc5a064843 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,12 @@ and to simplify maintenance, see <https://gitlab.com/gnutls/guile/>.
    priority modifier have been added to allow disabling of the
    status_request TLS extension in the client side.
 
+** libgnutls: TLS heartbeat is disabled by default.
+   The heartbeat extension in TLS (RFC 6520) is not widely used given
+   other implementations dropped support for it. To enable back
+   support for it, supply --enable-heartbeat-support to configure
+   script.
+
 ** minitasn1: Upgraded to libtasn1 version 4.19.
 
 ** API and ABI modifications:
diff --git a/m4/hooks.m4 b/m4/hooks.m4
index f3cdaa8586..10e23afc54 100644
--- a/m4/hooks.m4
+++ b/m4/hooks.m4
@@ -232,11 +232,11 @@ LIBTASN1_MINIMUM=4.9
   fi
   AM_CONDITIONAL(ENABLE_ALPN, test "$ac_enable_alpn" != "no")
 
-  ac_enable_heartbeat=yes
+  ac_enable_heartbeat=no
   AC_MSG_CHECKING([whether to enable TLS heartbeat support])
   AC_ARG_ENABLE(heartbeat-support,
-    AS_HELP_STRING([--disable-heartbeat-support],
-                   [disable support for the heartbeat extension]),
+    AS_HELP_STRING([--enable-heartbeat-support],
+                   [enable support for the heartbeat extension]),
     ac_enable_heartbeat=$enableval)
   if test x$ac_enable_heartbeat != xno; then
    AC_MSG_RESULT(yes)