Enable TLS1.3 by default

Older versions of GnuTLS did not support TLS1.3, and so we couldn't update the version priority string to enable that by default, yet. This now seems to no longer be a problem, so enable support for TLS1.3 by default while still disallowing TLS1.1 and below.
NetworkBlockDevice · Apr 7, 2024 · c9eb9b2 · c9eb9b2
1 parent ac83952
commit c9eb9b2
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/man/nbd-server.5.sgml.in b/man/nbd-server.5.sgml.in
@@ -371,7 +371,7 @@ manpage.1: manpage.sgml
       <varlistentry>
         <term><option>tlsprio</option></term>
 	<listitem>
-	  <para>Optional; string; default NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE</para>
+	  <para>Optional; string; default NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE</para>
 	  <para>This option allows to configure the GnuTLS priority
 	    string, which is used to select the algorithms which GnuTLS
 	    will allow to be negotiated with the client. The NBD

diff --git a/nbd-server.c b/nbd-server.c
@@ -871,7 +871,7 @@ GArray* parse_cfile(gchar* f, struct generic_conf *const genconf, bool expect_ge
 
         memset(&genconftmp, 0, sizeof(struct generic_conf));
 
-	genconftmp.tlsprio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE";
+	genconftmp.tlsprio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE";
 
         if (genconf) {
                 /* Use the passed configuration values as defaults. The