Raise GnuTLS requirements to 3.x
This allows us to simplify things by getting rid of some old
compatibility code. People should really be using current versions
of GnuTLS anyway to stay secure.
diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
index d4e88d7..88145e8 100644
--- a/common/rfb/SSecurityTLS.cxx
+++ b/common/rfb/SSecurityTLS.cxx
@@ -164,15 +164,22 @@
return true;
}
-void SSecurityTLS::setParams(gnutls_session session)
+void SSecurityTLS::setParams(gnutls_session_t session)
{
- static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 };
- static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
- GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 };
+ static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH";
+ static const char kx_priority[] = "NORMAL";
- if (gnutls_kx_set_priority(session, anon ? kx_anon_priority : kx_priority)
- != GNUTLS_E_SUCCESS)
- throw AuthFailureException("gnutls_kx_set_priority failed");
+ int ret;
+ const char *err;
+
+ ret = gnutls_priority_set_direct(session,
+ anon ? kx_anon_priority : kx_priority,
+ &err);
+ if (ret != GNUTLS_E_SUCCESS) {
+ if (ret == GNUTLS_E_INVALID_REQUEST)
+ vlog.error("GnuTLS priority syntax error at: %s", err);
+ throw AuthFailureException("gnutls_set_priority_direct failed");
+ }
if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_dh_params_init failed");