resolved: fix connection failures with TLS 1.3 and GnuTLS

Prefer TLS 1.3 before TLS 1.2 for DNS-over-TLS support, otherwise servers compliant with RFC 8446 might end up agreeing TLS 1.2 plus a downgrade signal which is not expected by GnuTLS clients. This manifests in the following error: Failed to invoke gnutls_handshake: An illegal parameter has been received. Fixes: #13528 Fixes: v242-962-g9c0624dcdb ("resolved: support TLS 1.3 when using GnuTLS for DNS-over-TLS")
author: Peter Wu <peter@lekensteyn.nl> 2019-10-20 19:10:31 +0200
committer: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2019-10-21 20:35:05 +0200
commit: 68805580209cfaa50b2400d1a2e6c66500001395 (patch)
tree: 9ac8a95238fff8a3e49fda954787836c2ffd1c49 /src/resolve/resolved-dnstls-gnutls.c
parent: hwdb: Add Medion Akoya E2215T MD60198 sensor orientation quirk (diff)
download: systemd-68805580209cfaa50b2400d1a2e6c66500001395.tar.xz
systemd-68805580209cfaa50b2400d1a2e6c66500001395.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c
index 06d635fcc4..7ad9662073 100644
--- a/src/resolve/resolved-dnstls-gnutls.c
+++ b/src/resolve/resolved-dnstls-gnutls.c
@@ -10,7 +10,7 @@
 #include "resolved-dnstls.h"
 
 #if GNUTLS_VERSION_NUMBER >= 0x030600
-#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3"
+#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2"
 #else
 #define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.2"
 #endif
author	Peter Wu <peter@lekensteyn.nl>	2019-10-20 19:10:31 +0200
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2019-10-21 20:35:05 +0200
commit	68805580209cfaa50b2400d1a2e6c66500001395 (patch)
tree	9ac8a95238fff8a3e49fda954787836c2ffd1c49 /src/resolve/resolved-dnstls-gnutls.c
parent	hwdb: Add Medion Akoya E2215T MD60198 sensor orientation quirk (diff)
download	systemd-68805580209cfaa50b2400d1a2e6c66500001395.tar.xz systemd-68805580209cfaa50b2400d1a2e6c66500001395.zip