| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Pass version to ciphersuite_list, avoid negotiating RC4 with DTLS
Disable ECC <= 192 bits.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a few 'feature tests' to Protocol_Version which helps avoid some
explicit comparisons. Additionally, remove the relational comparisons,
except for operator> which is still used in a few locations.
TLS::Policy has changed and no longer has min_version. The new hook
that replaces it is acceptable_protocol_version, which should return
true if and only if we are willing to negotiate the version
returned. This leads to a somewhat cleaner result and additionally
allows one to do maybe interesting though mostly useless things like
allowing TLS 1.0 or 1.2 but not 1.1.
Fix the version sent in the (unused) DTLS hello verify message.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
allowed_macs. This allows someone to turn on MD5 for message auth,
which is a little sketchy but probably OK, without also (likely
unintentionally) enabling MD5 for TLS v1.2 signatures, which would be
a big problem.
Prioritize RC4 over 3DES in default policy.
Disable ECC curves smaller than 224 bits by default.
More updates to the TLS policy documentation.
|
| |
|
|
|
|
|
|
| |
insufficient_security alert if the server tries to give us a DH group
smaller than that. Also check to make sure the key isn't obviously
bogus (<=1 || >= p-1), though as the key is purely ephemeral it
doesn't seem like a small subgroup attack would provide much advantage
anyway.
|
| |
|
|
| |
enabling this is a bad idea.
|
| |
|
|
|
| |
update. Increase DHE group size from 1536 to 2048 bits, which per
NIST/ECRYPT should be good to 2030 or so.
|
| |
|
|
|
|
|
| |
Make ciphersuite_list a free standing function
Now the Policy interface only contains actual policy hooks (no
non-virtual functions). Though choose_curve is a little dubious.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
seconds and report that value to the client in the NewSessionTicket
message. After that point, a session ticket is ignored and a full
renegotiation is forced.
Only send a new session ticket on a new session, or on a resumed
session where the client indicated it supports session tickets but for
whatever reason didn't send one in the hello. Perhaps in this case, we
should also remove the session from the session manager?
Clean up server selection of the ciphersuite a bit, all in an anon
function in tls_server instead of scattered over Server, Policy, and
Server_Hello.
Add Session::session_age and Session_Manager::session_lifetime
|
| |
|
|
|
| |
overridden easily in a new release without changing binaries linked
against an earlier version.
|
| |
|
|
|
|
|
|
|
| |
The client can constrain their offering if they want to.
Add identifiers for PSK suites (not implemented)
Rename hide_unknown_srp_users to hide_unknown_users as it can be used
for PSK as well.
|
| | |
|
| |
|
|
|
| |
and will choose one depending on which ciphersuites the client
offered.
|
| |
|
|
|
|
|
| |
the values let policy specify them. Also choose an ECC curve for
server kex from the client hello. Choice is via policy, default
implementation is to choose the first curve the client supports out of
the server's preference list.
|
| |
|
|
|
| |
avoid negotiating an ECDH key exchange if the client didn't send any
curves that we know about.
|
| |
|
|
| |
an application can actually override them.
|
| |
|
|
|
|
|
|
|
| |
checking, allowed client auth CAs, etc than the policy class. With
this change, most users won't ever need to modify the default policy
which is likely a good thing.
Remove copy and paste of the credentials manager implemenation in the
examples.
|
| |
|
|
| |
for such a minor change.
|
| |
|
|
|
| |
everything into a new namespace (Botan::TLS), removing the TLS_
prefixes on everything.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
counterparty by using the highest preference hash they have available
for the signature type we are generating. This does mean we will do
stupid things, if the counterparty is stupid (for instance some
versions of GnuTLS will prefer SHA-1 over the SHA-2s - likely someone
misread the spec and ordered the list backwards). But because we
filter out MD5 we'll never use that; even in the worst case, if
someone requests only MD5, we'll skip over it and use SHA-1 as the
fallback algorithm. Theoretically this is against the spec because we
"MUST" send something compatible, but seriously, fuck em. Right in the
eye.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
would like to use, in order of preference. Client sorts list of known
ciphersuites by those preferences and sends them. Server now picks the
first client method it knows and that it can use (previously, it would
choose the one it liked the best out of what the client sent).
New policy callback returns list of CAs allowed for client auth.
Don't send certificate request unless we have at least one CA we want
signatures from. OpenSSL has a behavior (bug?) in TLS 1.2 mode such
that it will reject a connection if a certificate request is sent
without any names included.
|
| |
|
|
|
|
| |
remain broken.
New interface for querying the TLS extensions, much cleaner.
|
| | |
|
| | |
|
| |
|
|
|
| |
extension (client side only at the moment). Add an interface that
allows applications to request renegotiation.
|
| |
|
