From: Simon Ruderich <simon@ruderich.org>
Date: Wed, 14 Aug 2013 12:18:40 +0000 (+0200)
Subject: Use "SECURE:-SHA1:+SHA1" as GnuTLS priority string.
X-Git-Url: https://ruderich.org/simon/gitweb/?p=tlsproxy%2Ftlsproxy.git;a=commitdiff_plain;h=3123fc1e16a763eb4614ebca4fc6bc80142021a9

Use "SECURE:-SHA1:+SHA1" as GnuTLS priority string.
---

diff --git a/src/tlsproxy.h b/src/tlsproxy.h
index fae7d60..33df814 100644
--- a/src/tlsproxy.h
+++ b/src/tlsproxy.h
@@ -51,7 +51,11 @@
 #define STORED_SERVER_CERT_FILE_FORMAT "./certificate-%s-server.pem"
 
 /* GnuTLS priority string used for both server and client connections. */
-#define PROXY_TLS_PRIORITIES "NORMAL"
+#define PROXY_TLS_PRIORITIES \
+    /* Don't use known insecure algorithms. */ \
+    "SECURE" \
+    /* Lower priority of SHA-1, user better hashes if possible. */ \
+    ":-SHA1:+SHA1"
 
 
 /* Proxy hostname and port if specified on the command line. */