From 2edeed11cbc3fde578a57e9d17f0c71666ad601a Mon Sep 17 00:00:00 2001
From: Jason Rhinelander <jason@imaginary.ca>
Date: Thu, 8 Jan 2026 20:42:46 -0400
Subject: [PATCH] Prune unneeded things from the gnutls priority string

- Explicitly disable TLS1.0-1.2 (which aren't used anyway)
- Remove +SHA256 which does nothing under TLS1.3
- Remove +AES-128-CCM-8 which does nothing (AES-128-CCM-8 is already
  implied by TLS1.3, and isn't practically used as TLS-1.3 prefers
  AES-GCM anyway).
- Remove unused/unwanted PSK values
---
 src/gnutls_crypto.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/gnutls_crypto.cpp b/src/gnutls_crypto.cpp
index 896052a1..dc363953 100644
--- a/src/gnutls_crypto.cpp
+++ b/src/gnutls_crypto.cpp
@@ -152,7 +152,11 @@ namespace oxen::quic
     }
 
     static constexpr auto* PRIORITY =
-            "NORMAL:+ECDHE-PSK:+PSK:+ECDHE-ECDSA:+AES-128-CCM-8:+CTYPE-CLI-ALL:+CTYPE-SRV-ALL:+SHA256";
+            "NORMAL"                                   // sane defaults
+            ":+VERS-TLS1.3"                            // Required by QUIC protocol
+            ":-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0"  // old TLS not needed or wanted
+            ":+CTYPE-CLI-ALL:+CTYPE-SRV-ALL"           // allows our raw pk certificate handling
+            ;
 
     GNUTLSCreds::GNUTLSCreds()
     {