diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-02-02 09:13:40 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-02-06 12:52:41 +0100 |
| commit | aaf286293050a4a2dbcd98d9eb2d69eca99c502a (patch) | |
| tree | b8e74a52a784152ebc2d733f999e66add9e30bb7 /lib/handshake.c | |
| parent | daf6650142f63c0f602b99c92ba941ff1d9f851c (diff) | |
| download | gnutls-aaf286293050a4a2dbcd98d9eb2d69eca99c502a.tar.gz | |
Fallback to TLS 1.2 when incompatible with signature certs are provided
This only takes into account certificates in the credentials structure.
If certificates are provided in a callback, these must be checked by
the provider. For that we assume that the credentials structure is
filled when associated with a session; if not then the fallback mechanism
will not work and the handshake will fail.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib/handshake.c')
| -rw-r--r-- | lib/handshake.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/lib/handshake.c b/lib/handshake.c index 70b4486266..481210ebc0 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -444,6 +444,9 @@ _gnutls_negotiate_version(gnutls_session_t session, if (aversion && aversion->id == GNUTLS_TLS1_2) { vers = _gnutls_version_max(session); + if (unlikely(vers == NULL)) + return gnutls_assert_val(GNUTLS_E_NO_CIPHER_SUITES); + if (vers->id >= GNUTLS_TLS1_2) { session->security_parameters.pversion = aversion; return 0; @@ -2138,7 +2141,10 @@ static int send_client_hello(gnutls_session_t session, int again) if (hver == NULL) { gnutls_assert(); - ret = GNUTLS_E_NO_PRIORITIES_WERE_SET; + if (session->internals.flags & INT_FLAG_NO_TLS13) + ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS; + else + ret = GNUTLS_E_NO_PRIORITIES_WERE_SET; goto cleanup; } |