From: Mike Crowe <mac@xxxxxxxxxx>
Ensure that if TLS 1.3 is disabled (which is the default currently),
GnuTLS is told to disable support for it too. Some RADIUS servers
apparently object to downgrading from TLS 1.3 to TLS 1.2 later even
though FreeRADIUS doesn't seem to mind in my testing.
Signed-off-by: Mike Crowe <mac@xxxxxxxxxx>
---
src/crypto/tls_gnutls.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c
index e3f5b5a42..bb050d19c 100644
--- a/src/crypto/tls_gnutls.c
+++ b/src/crypto/tls_gnutls.c
@@ -410,15 +410,18 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
if (params->flags & (TLS_CONN_DISABLE_TLSv1_0 |
TLS_CONN_DISABLE_TLSv1_1 |
- TLS_CONN_DISABLE_TLSv1_2)) {
+ TLS_CONN_DISABLE_TLSv1_2 |
+ TLS_CONN_DISABLE_TLSv1_3)) {
os_snprintf(prio_buf, sizeof(prio_buf),
- "NORMAL:-VERS-SSL3.0%s%s%s",
+ "NORMAL:-VERS-SSL3.0%s%s%s%s",
params->flags & TLS_CONN_DISABLE_TLSv1_0 ?
":-VERS-TLS1.0" : "",
params->flags & TLS_CONN_DISABLE_TLSv1_1 ?
":-VERS-TLS1.1" : "",
params->flags & TLS_CONN_DISABLE_TLSv1_2 ?
- ":-VERS-TLS1.2" : "");
+ ":-VERS-TLS1.2" : "",
+ params->flags & TLS_CONN_DISABLE_TLSv1_3 ?
+ ":-VERS-TLS1.3" : "");
prio = prio_buf;
}
--
2.39.5
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
