summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Wu <peter@lekensteyn.nl>2019-10-20 18:10:31 +0100
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2019-10-21 20:35:05 +0200
commit68805580209cfaa50b2400d1a2e6c66500001395 (patch)
tree9ac8a95238fff8a3e49fda954787836c2ffd1c49
parentcd8ad5965f702647ec3f72d07d91bb394a07e1bb (diff)
downloadsystemd-68805580209cfaa50b2400d1a2e6c66500001395.tar.gz
resolved: fix connection failures with TLS 1.3 and GnuTLS
Prefer TLS 1.3 before TLS 1.2 for DNS-over-TLS support, otherwise servers compliant with RFC 8446 might end up agreeing TLS 1.2 plus a downgrade signal which is not expected by GnuTLS clients. This manifests in the following error: Failed to invoke gnutls_handshake: An illegal parameter has been received. Fixes: #13528 Fixes: v242-962-g9c0624dcdb ("resolved: support TLS 1.3 when using GnuTLS for DNS-over-TLS")
Diffstat
-rw-r--r--src/resolve/resolved-dnstls-gnutls.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c
index 06d635fcc4..7ad9662073 100644
--- a/src/resolve/resolved-dnstls-gnutls.c
+++ b/src/resolve/resolved-dnstls-gnutls.c
@@ -10,7 +10,7 @@
#include "resolved-dnstls.h"
#if GNUTLS_VERSION_NUMBER >= 0x030600
-#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3"
+#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2"
#else
#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.2"
#endif
View Lorry Controller Status