projects / users / dwmw2 / openconnect.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9715b03)
Add +SHA256 to re-enable AES-CBC-HMAC-SHA256
authorDavid Woodhouse <dwmw2@infradead.org>
Fri, 1 Feb 2019 16:14:53 +0000 (16:14 +0000)
committerDavid Woodhouse <dwmw2@infradead.org>
Tue, 5 Feb 2019 14:36:54 +0000 (14:36 +0000)
Fixes: #21
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
gnutls.c patch | blob | history

diff --git a/gnutls.c b/gnutls.c
index 2bbb5a63a22a0a22a2b6cb7bc391e4cee94a0816..86f1775528eab29bf4d82a58a9a9e0eb64aaf1f4 100644 (file)
--- a/gnutls.c
+++ b/gnutls.c
@@ -2221,7 +2221,10 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 #ifdef DEFAULT_PRIO
        default_prio = DEFAULT_PRIO ":%COMPAT";
 #else
-       default_prio = "NORMAL:-VERS-SSL3.0:%COMPAT";
+       /* GnuTLS 3.5.19 and onward refuse to negotiate AES-CBC-HMAC-SHA256
+        * by default but some Cisco servers can't do anything better, so
+        * explicitly add '+SHA256' to allow it. Yay Cisco. */
+       default_prio = "NORMAL:-VERS-SSL3.0:+SHA256:%COMPAT";
 #endif
 
        snprintf(vpninfo->gnutls_prio, sizeof(vpninfo->gnutls_prio), "%s%s%s",
Unnamed repository; edit this file 'description' to name the repository.