FreeTDS is Ignoring GNUTLS Configuration(s)

[hking-forescout]

On a RHEL9 server I have FreeTDS 1.3.3 installed and configured with GNUTLS. I am encountering the issues listed below related to FreeTDS gnutls configuration.

1. I have tried updating the supported ciphers and priority string being used by my application by updating the system config file. I confirmed in the dump file that it is referencing that config file, but it said it was not updated after my changes even after rebooting the server. I added in a custom config file and used the GNUTLS_SYSTEM_PRIORITY_FILE environment variable at the start of my application runtime to reference my custom gnutls config file. This was recognized by the dump file, but any later changes to this file are also not recognized and the log says it is unchanged.

2. FreeTDS is having difficulty with the gnutls priority string. I tried enforcing different priorities with the GNUTLS_PRIORITY environment variable, but this is not being recognized whether I provide a string listed in the [ priorities ] section or provide a priorities string directly. The dump file always says it is loading SYSTEM priorities. I updated the [ priorities ] section SYSTEM string in every gnutls.config file on the system (the original and custom ones) but this is not recognized either. I see in tls.c starting at line 513 (566 in master as of 6/12/2025) we are using the gnutls_set_default_priority(session) call then immediately overwriting them depending on tls version. Is there a reason for this?

3. The dump file shows that the number of protocols, ciphersuites, signatures, etc. are all aligned with what is in the configuration file. Then immediately after this is replaced and freeTDS is loading the full suite that was originally in the system. Wireshark shows the full set is being passed in the tls negotiation. Is this solely related to the defaults mentioned in point 2?

My teammate found a resource that suggested that freetds may initilize a system default version when it is installed/configured with gnutls and that may also be what is overriding all of our attempts to customize our gnutls behavior. I haven't found anything in the source code that has confirmed this so does any developer know if this is accurate and a potential contributor of these issues?

TL;DR: in tls.c freetds is overriding some gnutls preferences by default. Is there a potential work around to ensure gnutls config file settings are used instead or is customization the only option?

OS: RHEL9
FreeTDS 1.3.3
GNUTLS: 3.7.1
TDS Version: auto (we're setting 7.4 in freetds.conf)
Source code referenced from tag zip file: https://github.com/FreeTDS/freetds/releases/tag/v1.3.3

[freddy77]

Not clear all the points but looking at point 2 and code in FreeTDS there's

        /* use default priorities... */
        gnutls_set_default_priority(session);

        /* ... but overwrite some */
        if (tds->login && tds->login->enable_tls_v1)
                ret = gnutls_priority_set_direct(session, "NORMAL:%COMPAT:-VERS-SSL3.0", NULL);
        else
                ret = gnutls_priority_set_direct(session, "NORMAL:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0", NULL);

looking at documentation maybe it would be better to have something like

        /* use default priorities... */
        gnutls_set_default_priority(session);
        gnutls_session_enable_compatibility_mode(session);

        /* ... but overwrite some */
        if (tds->login && tds->login->enable_tls_v1)
                ret = gnutls_set_default_priority_append(session, "-VERS-SSL3.0:+VERS-TLS1.0", NULL, 0);
        else
                ret = gnutls_set_default_priority_append(session, "-VERS-SSL3.0:-VERS-TLS1.0", NULL, 0);

Why it was done the way it is I don't remember exactly but probably at that time SSL 3.0 was not disabled by default which was quite a security concern. Also I think MS side didn't accept many ciphers, so the %COMPAT was added.
Today I would disable TLS v1.1 by default although some could complain about compatibility. In the past MS was not really good at updating TLS protocol requirements.

[freddy77]

I don't think gnutls_set_default_priority_append was available when the code was written.

[freddy77]

Added 0e645eb to master.
Not sure if RHEL9 provides gnutls_set_default_priority_append, from https://repology.org/project/gnutls/versions it looks like CentOS Stream 9 does it.

[hking-forescout]

@freddy77 Thank you for adding the append updates, I have a request to add in a new parameter within the freetds.conf file to control the gnutls priority string following the existing openssl ciphers parameter example.

[freddy77]

@hking-forescout merged the PR. If everything is fine I would close this issue too.