Changeset 1d62f86 in mod_gnutls

Timestamp:

Aug 24, 2020, 5:37:01 PM (3 years ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

asyncio, main, master

Children:

db76dd9

Parents:

ec26b87

Message:

Use -VERS-ALL instead of -VERS-TLS-ALL

There was a bug in GnuTLS where leaving DTLS versions (which are
present in NORMAL) enabled could lead to a disabled TLS version being
accepted: ​https://gitlab.com/gnutls/gnutls/-/issues/1054

This has been fixed in the GnuTLS git repository (see
​https://gitlab.com/gnutls/gnutls/-/merge_requests/1309), but there's
no release with the fix yet. I was testing with a local development
build so -VERS-TLS-ALL worked as it should, but the current distro
versions don't have the fix, so -VERS-ALL is needed.

Location:

test/tests/01_priorities_config

Files:

• apache.conf (modified) (1 diff)
• test.yml (modified) (3 diffs)

test/tests/01_priorities_config/apache.conf

@@ -17 +17 @@
     GnuTLSCertificateFile       authority/server/x509.pem
     GnuTLSKeyFile               authority/server/secret.key
-    GnuTLSPriorities            NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3
+    GnuTLSPriorities            NORMAL:-VERS-ALL:+VERS-TLS1.3
 </VirtualHost>

test/tests/01_priorities_config/test.yml

@@ -20 +20 @@
   gnutls_params:
     - x509cafile=authority/x509.pem
-    - priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3
+    - priority=NORMAL:-VERS-ALL:+VERS-TLS1.3
   actions:
     - !request
@@ -34 +34 @@
     - x509cafile=authority/x509.pem
     - sni-hostname=test.example.com
-    - priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3
+    - priority=NORMAL:-VERS-ALL:+VERS-TLS1.3
   actions:
     - !request
@@ -53 +53 @@
     - x509cafile=authority/x509.pem
     - sni-hostname=test.example.com
-    - priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2
+    - priority=NORMAL:-VERS-ALL:+VERS-TLS1.2
   actions:
     - !request