Respect TLS version argument
The code handling it was lost in the switch from OpenSSL to GnuTLS. Restore the functionality in the new code.
This commit is contained in:
Pierre Ossman
parent
9f14da3eb2
commit
256d8e2b3c
@ -118,7 +118,8 @@ specified server and then exit.
|
||||
.TP
|
||||
.BR "-V <tls version>"
|
||||
Set the Transport Level Security (also known as SSL) Version used.
|
||||
Should be one of the following values: 1.0, 1.1, 1.2. If the option is missing 1.0 is assumed.
|
||||
Should be one of the following values: 1.0, 1.1, 1.2. By default all
|
||||
versions are supported.
|
||||
.TP
|
||||
.BR "-B"
|
||||
Use the BackingStore of the Xserver instead of the integrated one in
|
||||
|
||||
@ -185,7 +185,7 @@ usage(char *program)
|
||||
fprintf(stderr, " -b: force bitmap updates\n");
|
||||
fprintf(stderr, " -L: local codepage\n");
|
||||
fprintf(stderr, " -A: path to SeamlessRDP shell, this enables SeamlessRDP mode\n");
|
||||
fprintf(stderr, " -V: tls version (1.0, 1.1, 1.2, defaults to 1.0)\n");
|
||||
fprintf(stderr, " -V: tls version (1.0, 1.1, 1.2, defaults to negotiation)\n");
|
||||
fprintf(stderr, " -B: use BackingStore of X-server (if available)\n");
|
||||
fprintf(stderr, " -e: disable encryption (French TS)\n");
|
||||
fprintf(stderr, " -E: disable encryption from client to server\n");
|
||||
|
||||
30
tcp.c
30
tcp.c
@ -55,6 +55,8 @@
|
||||
#define INADDR_NONE ((unsigned long) -1)
|
||||
#endif
|
||||
|
||||
#define GNUTLS_PRIORITY "NORMAL"
|
||||
|
||||
#ifdef IPv6
|
||||
static struct addrinfo *g_server_address = NULL;
|
||||
#else
|
||||
@ -341,6 +343,7 @@ RD_BOOL
|
||||
tcp_tls_connect(void)
|
||||
{
|
||||
int err;
|
||||
const char* priority;
|
||||
|
||||
gnutls_certificate_credentials_t xcred;
|
||||
|
||||
@ -355,14 +358,31 @@ tcp_tls_connect(void)
|
||||
g_ssl_initialized = True;
|
||||
}
|
||||
|
||||
/* It is recommended to use the default priorities */
|
||||
//err = gnutls_set_default_priority(g_tls_session);
|
||||
// Use compatible priority to overcome key validation error
|
||||
// THIS IS TEMPORARY
|
||||
err = gnutls_priority_set_direct(g_tls_session, "NORMAL:%COMPAT", NULL);
|
||||
/* FIXME: It is recommended to use the default priorities, but
|
||||
appending things requires GnuTLS 3.6.3 */
|
||||
|
||||
priority = NULL;
|
||||
if (g_tls_version[0] == 0)
|
||||
priority = GNUTLS_PRIORITY;
|
||||
else if (!strcmp(g_tls_version, "1.0"))
|
||||
priority = GNUTLS_PRIORITY ":-VERS-ALL:+VERS-TLS1.0";
|
||||
else if (!strcmp(g_tls_version, "1.1"))
|
||||
priority = GNUTLS_PRIORITY ":-VERS-ALL:+VERS-TLS1.1";
|
||||
else if (!strcmp(g_tls_version, "1.2"))
|
||||
priority = GNUTLS_PRIORITY ":-VERS-ALL:+VERS-TLS1.2";
|
||||
|
||||
if (priority == NULL)
|
||||
{
|
||||
logger(Core, Error,
|
||||
"tcp_tls_connect(), TLS method should be 1.0, 1.1, or 1.2");
|
||||
goto fail;
|
||||
}
|
||||
|
||||
err = gnutls_priority_set_direct(g_tls_session, priority, NULL);
|
||||
if (err < 0) {
|
||||
gnutls_fatal("Could not set GnuTLS priority setting", err);
|
||||
}
|
||||
|
||||
err = gnutls_certificate_allocate_credentials(&xcred);
|
||||
if (err < 0) {
|
||||
gnutls_fatal("Could not allocate TLS certificate structure", err);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user