ocserv: disable TLS1.3 when cisco client compatibility is requested

There are certain anyconnect clients which seem to fail connecting using
TLS1.3.

Resolves: #318

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>

NEWS

@@ -5,6 +5,9 @@
   multiple concurrent connections (#310)
 - Added namespace support for listen address by introducing the
   listen-netns  option (#189)
+- Disable TLS1.3 when cisco client compatibility is enabled. New
+  anyconnect clients seem to supporting TLS1.3 but unable to handle
+  a client with an RSA key (#318)
 
 
 * Version 1.1.0 (released 2020-06-16)

src/config.c

@@ -1414,11 +1414,18 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile
 #endif
 
 	if (config->priorities == NULL) {
-		/* on vhosts assign the main host priorities */
+		char *tmp = "";
+		/* on vhosts assign the main host priorities. We furthermore disable TLS1.3 on Cisco clients
+		 * due to issue #318. */
+
+		if (config->cisco_client_compat) {
+			tmp = ":-VERS-TLS1.3";
+		}
+
 		if (defvhost) {
-			config->priorities = talloc_strdup(config, defvhost->perm_config.config->priorities);
+			config->priorities = talloc_asprintf(config, "%s%s", defvhost->perm_config.config->priorities, tmp);
 		} else {
-			config->priorities = talloc_strdup(config, "NORMAL:%SERVER_PRECEDENCE:%COMPAT");
+			config->priorities = talloc_asprintf(config, "%s%s", "NORMAL:%SERVER_PRECEDENCE:%COMPAT", tmp);
 		}
 	}