From: David Woodhouse <dwmw2@infradead.org>
Date: Fri, 1 Feb 2019 16:14:53 +0000 (+0000)
Subject: Add +SHA256 to re-enable AES-CBC-HMAC-SHA256
X-Git-Tag: v8.03~23
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=5a3f242e7f778836f1645fb6479953e369a8f81e;p=users%2Fdwmw2%2Fopenconnect.git

Add +SHA256 to re-enable AES-CBC-HMAC-SHA256

Fixes: #21

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---

diff --git a/gnutls.c b/gnutls.c
index 2bbb5a63..86f17755 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -2221,7 +2221,10 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 #ifdef DEFAULT_PRIO
 	default_prio = DEFAULT_PRIO ":%COMPAT";
 #else
-	default_prio = "NORMAL:-VERS-SSL3.0:%COMPAT";
+	/* GnuTLS 3.5.19 and onward refuse to negotiate AES-CBC-HMAC-SHA256
+	 * by default but some Cisco servers can't do anything better, so
+	 * explicitly add '+SHA256' to allow it. Yay Cisco. */
+	default_prio = "NORMAL:-VERS-SSL3.0:+SHA256:%COMPAT";
 #endif
 
 	snprintf(vpninfo->gnutls_prio, sizeof(vpninfo->gnutls_prio), "%s%s%s",