From 5a3f242e7f778836f1645fb6479953e369a8f81e Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw2@infradead.org>
Date: Fri, 1 Feb 2019 16:14:53 +0000
Subject: [PATCH] Add +SHA256 to re-enable AES-CBC-HMAC-SHA256

Fixes: #21

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---
 gnutls.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gnutls.c b/gnutls.c
index 2bbb5a63..86f17755 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -2221,7 +2221,10 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 #ifdef DEFAULT_PRIO
 	default_prio = DEFAULT_PRIO ":%COMPAT";
 #else
-	default_prio = "NORMAL:-VERS-SSL3.0:%COMPAT";
+	/* GnuTLS 3.5.19 and onward refuse to negotiate AES-CBC-HMAC-SHA256
+	 * by default but some Cisco servers can't do anything better, so
+	 * explicitly add '+SHA256' to allow it. Yay Cisco. */
+	default_prio = "NORMAL:-VERS-SSL3.0:+SHA256:%COMPAT";
 #endif
 
 	snprintf(vpninfo->gnutls_prio, sizeof(vpninfo->gnutls_prio), "%s%s%s",
-- 
2.50.1