diff options
| author | Jack Lloyd <[email protected]> | 2019-05-20 14:44:08 -0400 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2019-05-20 15:11:05 -0400 |
| commit | 67df17d31d61f013d537abc7744f707435351125 (patch) | |
| tree | cde44420bdcf69fccf8f79123479b6ef0a2712d0 /src/lib/tls/tls_policy.h | |
| parent | 8e781e5a1be3ecc456c8e109571a084ec8bb792e (diff) | |
Fix various issues in TLS found using BoGo
- BoGo sends unparseable OCSP responses, so we have to accomodate for
this by delaying decoding until verification and simply ignoring
OCSP responses that we can't parse.
- Check that there is no trailing garbage at the end of various messages.
- Don't send empty SNI
- Check the TLS record header versions (previously ignored)
- For CBC 1/n-1 splitting split every record instead of just first.
I think this is not a problem but it is what BoGo expects.
- New Channel::application_protocol virtual (previously was
implemented on both Client and Server but not shared).
- Changes to resumption version handling.
- Fix server version selection when newer versions are disabled.
New policy hooks added in service of BoGo:
- maximum_certificate_chain_size gives the maximum cert chain in bytes
that we'll accept.
- allow_resumption_for_renegotiation specifies if a renegotiation
attempt can be simply (re-)resumed instead.
- abort_handshake_on_undesired_renegotiation - previously we just
ignored it with a warning alert. Now behavior is configurable.
- request_client_certificate_authentication
- require_client_certificate_authentication
Diffstat (limited to 'src/lib/tls/tls_policy.h')
| -rw-r--r-- | src/lib/tls/tls_policy.h | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h index 7b00b2e01..3a5be83d9 100644 --- a/src/lib/tls/tls_policy.h +++ b/src/lib/tls/tls_policy.h @@ -125,6 +125,14 @@ class BOTAN_PUBLIC_API(2,0) Policy virtual bool allow_server_initiated_renegotiation() const; /** + * If true, a request to renegotiate will close the connection with + * a fatal alert. Otherwise, a warning alert is sent. + */ + virtual bool abort_connection_on_undesired_renegotiation() const; + + virtual bool only_resume_with_exact_version() const; + + /** * Allow TLS v1.0 */ virtual bool allow_tls10() const; @@ -271,6 +279,19 @@ class BOTAN_PUBLIC_API(2,0) Policy virtual bool support_cert_status_message() const; /** + * Indicate if client certificate authentication is required. + * If true, then a cert will be requested and if the client does + * not send a certificate the connection will be closed. + */ + virtual bool require_client_certificate_authentication() const; + + /** + * Indicate if client certificate authentication is requested. + * If true, then a cert will be requested. + */ + virtual bool request_client_certificate_authentication() const; + + /** * Return allowed ciphersuites, in order of preference */ virtual std::vector<uint16_t> ciphersuite_list(Protocol_Version version, @@ -292,6 +313,14 @@ class BOTAN_PUBLIC_API(2,0) Policy virtual size_t dtls_maximum_timeout() const; /** + * @return the maximum size of the certificate chain, in bytes. + * Return 0 to disable this and accept any size. + */ + virtual size_t maximum_certificate_chain_size() const; + + virtual bool allow_resumption_for_renegotiation() const; + + /** * Convert this policy to a printable format. * @param o stream to be printed to */ @@ -525,6 +554,8 @@ class BOTAN_PUBLIC_API(2,0) Text_Policy : public Policy bool support_cert_status_message() const override; + bool require_client_certificate_authentication() const override; + size_t minimum_ecdh_group_size() const override; size_t minimum_ecdsa_group_size() const override; |