DTLS priority enables TLS1.2
Description of problem:
On a TLS server, I'd like to disable all TLS versions before TLSv1.3. When I set the priority to
NORMAL:-VERS-SSL3.0:-VERS-TLS1.2:-VERS-TLS1.0:-VERS-TLS1.1
it seems clients can still connect using TLS1.2. But when I add there -VERS-DTLS-ALL
, it works as expected. If DTLS1.0 or DTLS1.2 is enabled, the server allows the client to use TLS1.2. I think that's unexpected, or at least I couldn't find an explanation in the documentation.
Version of gnutls used:
gnutls-3.6.14
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Fedora
How reproducible:
Always
Steps to Reproduce:
- gnutls-serv --x509keyfile=server.key --x509certfile=server.crt --priority="NORMAL:-VERS-TLS1.2:-VERS-TLS1.0:-VERS-TLS1.1"
- gnutls-cli server.example.net -p 5556 --priority="NORMAL:-VERS-ALL:+VERS-TLS1.2"
Actual results:
Handshake completed
Expected results:
Handshake failed