resolved: support TLS 1.3 when using GnuTLS for DNS-over-TLS

author: Iwan Timmer <irtimmer@gmail.com> 2019-06-17 21:24:05 +0200
committer: Iwan Timmer <iwan.timmer@northwave.nl> 2019-06-19 13:10:44 +0200
commit: 9c0624dcdb86360d5cd5eb8c6093b3cd2e6d281b (patch)
tree: c61bb1df73196e94baa0f892feec2b2bca038d55
parent: 4310bfc20b84127e19bed68701caa3820c844682 (diff)
download: systemd-9c0624dcdb86360d5cd5eb8c6093b3cd2e6d281b.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c
index 6eef6117a3..06d635fcc4 100644
--- a/src/resolve/resolved-dnstls-gnutls.c
+++ b/src/resolve/resolved-dnstls-gnutls.c
@@ -9,6 +9,11 @@
 #include "resolved-dns-stream.h"
 #include "resolved-dnstls.h"
 
+#if GNUTLS_VERSION_NUMBER >= 0x030600
+#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3"
+#else
+#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.2"
+#endif
 DEFINE_TRIVIAL_CLEANUP_FUNC(gnutls_session_t, gnutls_deinit);
 
 static ssize_t dnstls_stream_writev(gnutls_transport_ptr_t p, const giovec_t *iov, int iovcnt) {
@@ -37,7 +42,7 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
                 return r;
 
         /* As DNS-over-TLS is a recent protocol, older TLS versions can be disabled */
-        r = gnutls_priority_set_direct(gs, "NORMAL:-VERS-ALL:+VERS-TLS1.2", NULL);
+        r = gnutls_priority_set_direct(gs, PRIORTY_STRING, NULL);
         if (r < 0)
                 return r;
author	Iwan Timmer <irtimmer@gmail.com>	2019-06-17 21:24:05 +0200
committer	Iwan Timmer <iwan.timmer@northwave.nl>	2019-06-19 13:10:44 +0200
commit	9c0624dcdb86360d5cd5eb8c6093b3cd2e6d281b (patch)
tree	c61bb1df73196e94baa0f892feec2b2bca038d55
parent	4310bfc20b84127e19bed68701caa3820c844682 (diff)
download	systemd-9c0624dcdb86360d5cd5eb8c6093b3cd2e6d281b.tar.gz