On 07/24/2018 01:01 PM, Nikos Mavrogiannopoulos wrote:
>> Am I misreading the code?
>>
>> If compiled with !DEFAULT_PRIO and we miss both the gtls_ver(3,2,9) and
>> gtls_ver(3,0,0) checks, won't we do
>> "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:"... from the else{} block below?
>>
>> I read that as "when using old gnutls versions and !DEFAULT_PRIO", use
>> this string.
>>
>>> #ifdef DEFAULT_PRIO
>>> default_prio = DEFAULT_PRIO ":%COMPAT";
>>> #else
>>> if (gtls_ver(3,2,9)) {
>>> default_prio = "NORMAL:-VERS-SSL3.0:%COMPAT";
>>> } else if (gtls_ver(3,0,0)) {
>>> default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \
>>> "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION" \
>>> ":-CURVE-ALL:-ECDHE-RSA:-ECDHE-ECDSA";
>>> } else {
>>> default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \
>>> "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION";
>>> }
>>> #endif
> Hmm, that is true, but ubuntu doesn't use that code.
My version is this, verbatim:
> err = gnutls_priority_set_direct(vpninfo->https_sess,
> "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:"
> #if GNUTLS_VERSION_MAJOR >= 3
> "-CURVE-ALL:"
> #endif
> "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION",
> NULL);
Which is a bit more arcane way to do _some_ of the same stuff, like
adding "-CURVE-ALL:" for gnults >= 3.
> If it did it could have made sense to update it, but looks like dead
> code as since 5f0eb81daa0df5668eedd8e48eaeea065c92d9ad openconnect
> can no longer build with a version of gnutls < 3 (which doesn't have
> DTLS).
Right, Ubuntu (14.04) doesn't have the first two cases, only the third.
But, I was basically asking (despite being an ancient version of
openconnect) whether this affects upstream openconnect.
The "gtls_ver(3,0,0)" in upstream openconnect still has this hunk in its
string, though: "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:". Does that cause
any issues on gnutls versions >=3.0.0, but <3.2.9?
