From cc50c639ae498a14a95ce9b7a0dd598d0df529a7 Mon Sep 17 00:00:00 2001
From: Wolfgang Lux <wolfgang.lux@brainstorm.co.uk>
Date: Tue, 29 Oct 2019 10:14:35 +0100
Subject: [PATCH] Fall back to a sane default if the TLS priority setting is
 invalid.

---
 ChangeLog      | 5 +++++
 Source/GSTLS.m | 8 +++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index b257dc90f..e85a257ac 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2019-10-29  Wolfgang Lux  <wolfgang.lux@gmail.com>
+
+	* Source/GSTLS.m:
+	Fall back to a sane default if the TLS priority setting is invalid.
+
 2019-10-28  Wolfgang Lux  <wolfgang.lux@gmail.com>
 
 	* Source/GSSocketStream.m:
diff --git a/Source/GSTLS.m b/Source/GSTLS.m
index 88e6729da..b88174b70 100644
--- a/Source/GSTLS.m
+++ b/Source/GSTLS.m
@@ -1771,7 +1771,13 @@ retrieve_callback(gnutls_session_t session,
 	  /* By default we disable SSL3.0 as the 'POODLE' attack (Oct 2014)
 	   * renders it insecure.
 	   */
-          gnutls_priority_set_direct(session, [str UTF8String], NULL);
+          const char *err_pos;
+          if (gnutls_priority_set_direct(session, [str UTF8String], &err_pos))
+            {
+              NSLog(@"Invalid GSTLSPriority: %s", err_pos);
+              NSLog(@"Falling back to NORMAL:-VERS-SSL3.0");
+              gnutls_priority_set_direct(session, "NORMAL:-VERS-SSL3.0", NULL);
+            }
 #endif
         }