From 01bbdc98d6e1a897111a93e0137dc41b0dd4e083 Mon Sep 17 00:00:00 2001
From: Jiri Vymazal <jvymazal@redhat.com>
Date: Wed, 10 Jul 2019 13:49:43 +0200
Subject: [PATCH] Modified GnuTLS priority according to standard crypto-policy
 guideline

Edited TLS priority string default to conform to system-wide default
and align librelp behavior with other crypto-utilizing packages
---
 src/tcp.c | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/src/tcp.c b/src/tcp.c
index bd9bf1db..36e8712c 100644
--- a/src/tcp.c
+++ b/src/tcp.c
@@ -1136,20 +1136,29 @@ relpTcpTLSSetPrio_gtls(relpTcp_t *const pThis)
 	char pristringBuf[4096];
 	char *pristring;
 	ENTER_RELPFUNC;
-	/* Compute priority string (in simple cases where the user does not care...) */
+	/* Set default priority string (in simple cases where the user does not care...) */
 	if(pThis->pristring == NULL) {
-		if(pThis->bEnableTLSZip) {
-			strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-ALL", sizeof(pristringBuf));
-		} else {
-			strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-NULL", sizeof(pristringBuf));
+		if (pThis->authmode == eRelpAuthMode_None) {
+			if(pThis->bEnableTLSZip) {
+				strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-ALL", sizeof(pristringBuf));
+			} else {
+				strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-NULL", sizeof(pristringBuf));
 			}
-		pristringBuf[sizeof(pristringBuf)-1] = '\0';
-		pristring = pristringBuf;
+			pristringBuf[sizeof(pristringBuf)-1] = '\0';
+			pristring = pristringBuf;
+			r = gnutls_priority_set_direct(pThis->session, pristring, NULL);
+		} else {
+			r = gnutls_set_default_priority(pThis->session);
+			strncpy(pristringBuf, "to recommended system default", sizeof(pristringBuf));
+			pristringBuf[sizeof(pristringBuf)-1] = '\0';
+			pristring = pristringBuf;
+		}
+
 	} else {
 		pristring = pThis->pristring;
+		r = gnutls_priority_set_direct(pThis->session, pristring, NULL);
 	}
 
-	r = gnutls_priority_set_direct(pThis->session, pristring, NULL);
 	if(r == GNUTLS_E_INVALID_REQUEST) {
 		ABORT_FINALIZE(RELP_RET_INVLD_TLS_PRIO);
 	} else if(r != GNUTLS_E_SUCCESS) {