iksemel/secure_gnutls_options.patch

Index: src/tls-gnutls.c
===================================================================
--- a/src/tls-gnutls.c
+++ b/src/tls-gnutls.c
@@ -48,11 +48,7 @@ tls_pull (struct ikstls_data *data, char
 static int
 tls_handshake (struct ikstls_data **datap, ikstransport *trans, void *sock)
 {
-	const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
-	const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
-	const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0};
-	const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
-	const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
+	const char *priority_string = "SECURE256:+SECURE192:-VERS-TLS-ALL:+VERS-TLS1.2";
 	struct ikstls_data *data;
 	int ret;
 
@@ -81,11 +77,7 @@ tls_handshake (struct ikstls_data **data
 		return IKS_NOMEM;
 	}
 
-	gnutls_protocol_set_priority (data->sess, protocol_priority);
-	gnutls_cipher_set_priority(data->sess, cipher_priority);
-	gnutls_compression_set_priority(data->sess, comp_priority);
-	gnutls_kx_set_priority(data->sess, kx_priority);
-	gnutls_mac_set_priority(data->sess, mac_priority);
+	gnutls_priority_set_direct(data->sess, priority_string, NULL);
 	gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred);
 
 	gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push);