Fix various issues in TLS found using BoGo

 - BoGo sends unparseable OCSP responses, so we have to accomodate for
   this by delaying decoding until verification and simply ignoring
   OCSP responses that we can't parse.
 - Check that there is no trailing garbage at the end of various messages.
 - Don't send empty SNI
 - Check the TLS record header versions (previously ignored)
 - For CBC 1/n-1 splitting split every record instead of just first.
   I think this is not a problem but it is what BoGo expects.
 - New Channel::application_protocol virtual (previously was
   implemented on both Client and Server but not shared).
 - Changes to resumption version handling.
 - Fix server version selection when newer versions are disabled.

New policy hooks added in service of BoGo:
 - maximum_certificate_chain_size gives the maximum cert chain in bytes
   that we'll accept.
 - allow_resumption_for_renegotiation specifies if a renegotiation
   attempt can be simply (re-)resumed instead.
 - abort_handshake_on_undesired_renegotiation - previously we just
   ignored it with a warning alert. Now behavior is configurable.
 - request_client_certificate_authentication
 - require_client_certificate_authentication

1 files changed, 1 insertions, 1 deletions

diff --git a/src/lib/tls/tls_server.h b/src/lib/tls/tls_server.h
index c55c3f93d..e6536934a 100644
--- a/src/lib/tls/tls_server.h
+++ b/src/lib/tls/tls_server.h
@@ -110,7 +110,7 @@ class BOTAN_PUBLIC_API(2,0) Server final : public Channel
       * tied to the session and a later renegotiation of the same
       * session can choose a new protocol.
       */
-      std::string application_protocol() const { return m_next_protocol; }
+      std::string application_protocol() const override { return m_next_protocol; }
 
    private:
       std::vector<X509_Certificate>