Use gnutls_set_default_priority.

Thereby enabling TLS 1.2 on GnuTLS versions that support it.

src/network/ssl/socket.c

@@ -63,83 +63,6 @@ ssl_set_no_tls(struct socket *socket)
 {
 #ifdef CONFIG_OPENSSL
 	((ssl_t *) socket->ssl)->options |= SSL_OP_NO_TLSv1;
-#elif defined(CONFIG_GNUTLS)
-	/* We do a little more work here, setting up all these priorities (like
-	 * they couldn't have some reasonable defaults there).. */
-
-	{
-		int protocol_priority[3] = {
-			GNUTLS_TLS1,
-			GNUTLS_SSL3,
-			0
-		};
-
-		gnutls_protocol_set_priority(*((ssl_t *) socket->ssl), protocol_priority);
-	}
-
-	/* Note that I have no clue about these; I just put all I found here
-	 * ;-). It is all a bit confusing for me, and I just want this to work.
-	 * Feel free to send me patch removing useless superfluous bloat,
-	 * thanks in advance. --pasky */
-
-	{
-		int cipher_priority[5] = {
-			GNUTLS_CIPHER_RIJNDAEL_128_CBC,
-			GNUTLS_CIPHER_3DES_CBC,
-			GNUTLS_CIPHER_ARCFOUR,
-			GNUTLS_CIPHER_RIJNDAEL_256_CBC,
-			0
-		};
-
-		gnutls_cipher_set_priority(*((ssl_t *) socket->ssl), cipher_priority);
-	}
-
-	{
-		/* Does any httpd support this..? ;) */
-		int comp_priority[3] = {
-			GNUTLS_COMP_ZLIB,
-			GNUTLS_COMP_NULL,
-			0
-		};
-
-		gnutls_compression_set_priority(*((ssl_t *) socket->ssl), comp_priority);
-	}
-
-	{
-		int kx_priority[5] = {
-			GNUTLS_KX_RSA,
-			GNUTLS_KX_DHE_DSS,
-			GNUTLS_KX_DHE_RSA,
-			/* Looks like we don't want SRP, do we? */
-			GNUTLS_KX_ANON_DH,
-			0
-		};
-
-		gnutls_kx_set_priority(*((ssl_t *) socket->ssl), kx_priority);
-	}
-
-	{
-		int mac_priority[3] = {
-			GNUTLS_MAC_SHA,
-			GNUTLS_MAC_MD5,
-			0
-		};
-
-		gnutls_mac_set_priority(*((ssl_t *) socket->ssl), mac_priority);
-	}
-
-	{
-		int cert_type_priority[2] = {
-			GNUTLS_CRT_X509,
-			/* We don't link with -extra now; by time of writing
-			 * this, it's unclear where OpenPGP will end up. */
-			0
-		};
-
-		gnutls_certificate_type_set_priority(*((ssl_t *) socket->ssl), cert_type_priority);
-	}
-
-	gnutls_dh_set_prime_bits(*((ssl_t *) socket->ssl), 1024);
 #endif
 }
 

src/network/ssl/ssl.c

@@ -107,9 +107,6 @@ static struct module openssl_module = struct_module(
 gnutls_anon_client_credentials_t anon_cred = NULL;
 gnutls_certificate_credentials_t xcred = NULL;
 
-const static int protocol_priority[16] = {
-	GNUTLS_TLS1, GNUTLS_SSL3, 0
-};
 const static int kx_priority[16] = {
 	GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP,
 	/* Do not use anonymous authentication, unless you know what that means */
@@ -119,8 +116,6 @@ const static int cipher_priority[16] = {
 	GNUTLS_CIPHER_RIJNDAEL_128_CBC, GNUTLS_CIPHER_ARCFOUR_128,
 	GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_ARCFOUR_40, 0
 };
-const static int comp_priority[16] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
-const static int mac_priority[16] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
 const static int cert_type_priority[16] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 };
 
 static void
@@ -232,12 +227,10 @@ init_ssl_connection(struct socket *socket)
 		return S_SSL_ERROR;
 	}
 
+	gnutls_set_default_priority(*state);
 	gnutls_handshake_set_private_extensions(*state, 1);
 	gnutls_cipher_set_priority(*state, cipher_priority);
-	gnutls_compression_set_priority(*state, comp_priority);
 	gnutls_kx_set_priority(*state, kx_priority);
-	gnutls_protocol_set_priority(*state, protocol_priority);
-	gnutls_mac_set_priority(*state, mac_priority);
 	gnutls_certificate_type_set_priority(*state, cert_type_priority);
 	gnutls_server_name_set(*state, GNUTLS_NAME_DNS, server_name,
 			       sizeof(server_name) - 1);