ext/supported_versions: reorder client precedence if necessary

If the client advertises TLS < 1.2 before TLS 1.3 and the server is configured with TLS 1.3 enabled, the server should select TLS 1.3; otherwise the client will disconnect when seeing downgrade sentinel. Signed-off-by: Daiki Ueno <dueno@redhat.com>
author: Daiki Ueno <dueno@redhat.com> 2019-09-26 16:45:25 +0200
committer: Daiki Ueno <dueno@redhat.com> 2019-09-27 10:14:53 +0200
commit: 3fd28f9a400f371291c05c89b5b8014cebd2d315 (patch)
tree: c45f8d4a3196caa7865be54828c3f00ba538045d /tests/version-checks.c
parent: 0bb87a8712d48a0e0c3cf97c7ca7830603b91176 (diff)
download: gnutls-3fd28f9a400f371291c05c89b5b8014cebd2d315.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/tests/version-checks.c b/tests/version-checks.c
index 4f9bac2261..2b6badff17 100644
--- a/tests/version-checks.c
+++ b/tests/version-checks.c
@@ -171,6 +171,13 @@ void doit(void)
 	reset_buffers();
 	try("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3:+VERS-TLS1.2", GNUTLS_TLS1_3);
 	reset_buffers();
+	/* If TLS 1.3 is enabled in the server, prefer the latest
+	 * possible version regardless of the client's precedence.
+	 * See https://gitlab.com/gnutls/gnutls/issues/837 for the
+	 * rationale.
+	 */
+	try("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.3", GNUTLS_TLS1_3);
+	reset_buffers();
 #ifdef ENABLE_SSL3
 	try("NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0", -1);
 	reset_buffers();
author	Daiki Ueno <dueno@redhat.com>	2019-09-26 16:45:25 +0200
committer	Daiki Ueno <dueno@redhat.com>	2019-09-27 10:14:53 +0200
commit	3fd28f9a400f371291c05c89b5b8014cebd2d315 (patch)
tree	c45f8d4a3196caa7865be54828c3f00ba538045d /tests/version-checks.c
parent	0bb87a8712d48a0e0c3cf97c7ca7830603b91176 (diff)
download	gnutls-3fd28f9a400f371291c05c89b5b8014cebd2d315.tar.gz