Actually, do this differently

Disabling all versions of TLS and then enabling those versions that are supported only means we get to do this again when (if ever) a new version of TLS is defined. Enabling all versions of TLS and then disabling those versions that are *not* supported means we support it the moment GnuTLS supports it.
NetworkBlockDevice · Apr 7, 2024 · 4efb275 · 4efb275
1 parent c9eb9b2
commit 4efb275
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/man/nbd-server.5.sgml.in b/man/nbd-server.5.sgml.in
@@ -371,7 +371,7 @@ manpage.1: manpage.sgml
       <varlistentry>
         <term><option>tlsprio</option></term>
 	<listitem>
-	  <para>Optional; string; default NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE</para>
+	  <para>Optional; string; default NORMAL:+VERS-TLS-ALL:-VERS-TLS1.0:-VERS-TLS1.1:%SERVER_PRECEDENCE</para>
 	  <para>This option allows to configure the GnuTLS priority
 	    string, which is used to select the algorithms which GnuTLS
 	    will allow to be negotiated with the client. The NBD

diff --git a/nbd-server.c b/nbd-server.c
@@ -871,7 +871,7 @@ GArray* parse_cfile(gchar* f, struct generic_conf *const genconf, bool expect_ge
 
         memset(&genconftmp, 0, sizeof(struct generic_conf));
 
-	genconftmp.tlsprio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE";
+	genconftmp.tlsprio = "NORMAL:+VERS-TLS-ALL:-VERS-TLS1.0:+VERS-TLS1.1:%SERVER_PRECEDENCE";
 
         if (genconf) {
                 /* Use the passed configuration values as defaults. The