systemd/0072-backport-CVE-2018-21029-resolved-fix-connection-failures-with-TLS-1.3-and-Gn.patch

From 68805580209cfaa50b2400d1a2e6c66500001395 Mon Sep 17 00:00:00 2001
From: Peter Wu <peter@lekensteyn.nl>
Date: Sun, 20 Oct 2019 18:10:31 +0100
Subject: [PATCH] resolved: fix connection failures with TLS 1.3 and GnuTLS

Prefer TLS 1.3 before TLS 1.2 for DNS-over-TLS support, otherwise
servers compliant with RFC 8446 might end up agreeing TLS 1.2 plus a
downgrade signal which is not expected by GnuTLS clients. This manifests
in the following error:

    Failed to invoke gnutls_handshake: An illegal parameter has been received.

Fixes: #13528
Fixes: v242-962-g9c0624dcdb ("resolved: support TLS 1.3 when using GnuTLS for DNS-over-TLS")
---
 src/resolve/resolved-dnstls-gnutls.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c
index 06d635fcc4..7ad9662073 100644
--- a/src/resolve/resolved-dnstls-gnutls.c
+++ b/src/resolve/resolved-dnstls-gnutls.c
@@ -10,7 +10,7 @@
 #include "resolved-dnstls.h"
 
 #if GNUTLS_VERSION_NUMBER >= 0x030600
-#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3"
+#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2"
 #else
 #define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.2"
 #endif
-- 
2.26.2