From 4efb275794b0da67099a6260d4bf1d069c6fb10e Mon Sep 17 00:00:00 2001 From: Wouter Verhelst Date: Sun, 7 Apr 2024 12:42:02 +0200 Subject: [PATCH] Actually, do this differently Disabling all versions of TLS and then enabling those versions that are supported only means we get to do this again when (if ever) a new version of TLS is defined. Enabling all versions of TLS and then disabling those versions that are *not* supported means we support it the moment GnuTLS supports it. --- man/nbd-server.5.sgml.in | 2 +- nbd-server.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/man/nbd-server.5.sgml.in b/man/nbd-server.5.sgml.in index 4d3a33a4..41ad12d4 100644 --- a/man/nbd-server.5.sgml.in +++ b/man/nbd-server.5.sgml.in @@ -371,7 +371,7 @@ manpage.1: manpage.sgml - Optional; string; default NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE + Optional; string; default NORMAL:+VERS-TLS-ALL:-VERS-TLS1.0:-VERS-TLS1.1:%SERVER_PRECEDENCE This option allows to configure the GnuTLS priority string, which is used to select the algorithms which GnuTLS will allow to be negotiated with the client. The NBD diff --git a/nbd-server.c b/nbd-server.c index 41d09ff5..3749b74a 100644 --- a/nbd-server.c +++ b/nbd-server.c @@ -871,7 +871,7 @@ GArray* parse_cfile(gchar* f, struct generic_conf *const genconf, bool expect_ge memset(&genconftmp, 0, sizeof(struct generic_conf)); - genconftmp.tlsprio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE"; + genconftmp.tlsprio = "NORMAL:+VERS-TLS-ALL:-VERS-TLS1.0:+VERS-TLS1.1:%SERVER_PRECEDENCE"; if (genconf) { /* Use the passed configuration values as defaults. The