diff -up librelp-1.10.0/src/tcp.c.crypto-compliance librelp-1.10.0/src/tcp.c --- librelp-1.10.0/src/tcp.c.crypto-compliance 2021-02-16 09:07:24.000000000 +0100 +++ librelp-1.10.0/src/tcp.c 2021-08-17 10:13:53.368936612 +0200 @@ -1155,32 +1155,8 @@ static relpRetVal LIBRELP_ATTR_NONNULL() relpTcpTLSSetPrio_gtls(relpTcp_t *const pThis) { int r; - char pristringBuf[4096]; - char *pristring; ENTER_RELPFUNC; - /* Set default priority string (in simple cases where the user does not care...) */ - if(pThis->pristring == NULL) { - if (pThis->authmode == eRelpAuthMode_None) { - if(pThis->bEnableTLSZip) { - strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-ALL", sizeof(pristringBuf)); - } else { - strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-NULL", sizeof(pristringBuf)); - } - pristringBuf[sizeof(pristringBuf)-1] = '\0'; - pristring = pristringBuf; - r = gnutls_priority_set_direct(pThis->session, pristring, NULL); - } else { - r = gnutls_set_default_priority(pThis->session); - strncpy(pristringBuf, "to recommended system default", sizeof(pristringBuf)); - pristringBuf[sizeof(pristringBuf)-1] = '\0'; - pristring = pristringBuf; - } - - } else { - pristring = pThis->pristring; - r = gnutls_priority_set_direct(pThis->session, pristring, NULL); - } - + r = gnutls_set_default_priority(pThis->session); if(r == GNUTLS_E_INVALID_REQUEST) { ABORT_FINALIZE(RELP_RET_INVLD_TLS_PRIO); } else if(r != GNUTLS_E_SUCCESS) { @@ -1188,7 +1164,7 @@ relpTcpTLSSetPrio_gtls(relpTcp_t *const } finalize_it: - pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_gtls: Setting ciphers '%s' iRet=%d\n", pristring, iRet); + pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_gtls: Setting ciphers to system default iRet=%d\n", iRet); if(iRet != RELP_RET_OK) { chkGnutlsCode(pThis, "Failed to set GnuTLS priority", iRet, r); @@ -1207,38 +1183,15 @@ relpTcpTLSSetPrio_gtls(LIBRELP_ATTR_UNUS static relpRetVal LIBRELP_ATTR_NONNULL() relpTcpTLSSetPrio_ossl(relpTcp_t *const pThis) { - char pristringBuf[4096]; - char *pristring; ENTER_RELPFUNC; - /* Compute priority string (in simple cases where the user does not care...) */ - if(pThis->pristring == NULL) { - if (pThis->authmode == eRelpAuthMode_None) { - #if OPENSSL_VERSION_NUMBER >= 0x10100000L \ - && !defined(LIBRESSL_VERSION_NUMBER) - /* NOTE: do never use: +eNULL, it DISABLES encryption! */ - strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0", - sizeof(pristringBuf)); - #else - strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL", - sizeof(pristringBuf)); - #endif - } else { - strncpy(pristringBuf, "DEFAULT", sizeof(pristringBuf)); - } - pristringBuf[sizeof(pristringBuf)-1] = '\0'; - pristring = pristringBuf; - } else { - /* We use custom CipherString if used sets it by SslConfCmd */ - pristring = pThis->pristring; - } - if ( SSL_set_cipher_list(pThis->ssl, pristring) == 0 ){ - pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Error setting ciphers '%s'\n", pristring); + if (SSL_set_cipher_list(pThis->ssl, "PROFILE=SYSTEM") == 0){ + pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Error setting ciphers to system default\n"); ABORT_FINALIZE(RELP_RET_ERR_TLS_SETUP); } finalize_it: - pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Setting ciphers '%s' iRet=%d\n", pristring, iRet); + pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Setting ciphers to system default iRet=%d\n", iRet); LEAVE_RELPFUNC; } #else