Bugfix for TLS server sessions

ChangeLog

@@ -1,6 +1,11 @@
+2019-09-21  Richard Frith-Macdonald <rfm@gnu.org>
+
+	* Source/GSTLS.m: Re-order code to avoid setting session priority
+	twice (avoids bug where server downgrades from TLS1.3 to TLS1.2).
+
 2019-09-16  Alan Jenkins <alan.christopher.jenkins@gmail.com>
 
-	* Tools/gdompa.c:
+	* Tools/gdomap.c:
 	A couple of is_local_net() tests were wrong: they used "&&"
 	with masks, but that is the logical shortcut operator.
 	The correct bitwise operator is "&".  The result was that

Source/GSTLS.m

@@ -1703,15 +1703,6 @@ retrieve_callback(gnutls_session_t session,
           str = nil;
         }
 
-#if GNUTLS_VERSION_NUMBER < 0x020C00
-      gnutls_set_default_priority(session);
-#else
-      /* By default we disable SSL3.0 as the 'POODLE' attack (Oct 2014)
-       * renders it insecure.
-       */
-      gnutls_priority_set_direct(session, "NORMAL:-VERS-SSL3.0", NULL);
-#endif
-
       if (nil == str)
         {
           if ([pri isEqual: NSStreamSocketSecurityLevelNone] == YES)
@@ -1758,15 +1749,28 @@ retrieve_callback(gnutls_session_t session,
 #else
               gnutls_priority_set_direct(session,
                 "NORMAL:-VERS-SSL3.0:+VERS-TLS-ALL", NULL);
+#endif
+            }
+          else
+            {
+#if GNUTLS_VERSION_NUMBER < 0x020C00
+              gnutls_set_default_priority(session);
+#else
+              /* By default we disable SSL3.0 as the 'POODLE' attack (Oct 2014)
+               * renders it insecure.
+               */
+              gnutls_priority_set_direct(session, "NORMAL:-VERS-SSL3.0", NULL);
 #endif
             }
         }
-#if GNUTLS_VERSION_NUMBER >= 0x020C00
       else
         {
+#if GNUTLS_VERSION_NUMBER >= 0x020C00
           gnutls_priority_set_direct(session, [str UTF8String], NULL);
-        }
+#else
+          gnutls_set_default_priority(session);
 #endif
+        }
 
       /* Set certificate credentials for this session.
        */