struct tls_config *
tls_config_new(void)
{
struct tls_config *config;
if ((config = calloc(1, sizeof(*config))) == NULL)
return (NULL);
/*
* Default configuration.
*/
if (tls_config_set_ca_file(config, _PATH_SSL_CA_FILE) != 0)
goto err;
if (tls_config_set_dheparams(config, "none") != 0)
goto err;
if (tls_config_set_ecdhecurve(config, "auto") != 0)
goto err;
if (tls_config_set_ciphers(config, "secure") != 0)
goto err;
tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT);
tls_config_set_verify_depth(config, 6);
tls_config_prefer_ciphers_server(config);
tls_config_verify(config);
return (config);
err:
tls_config_free(config);
return (NULL);
}
struct tls_config *
tls_config_new_internal(void)
{
struct tls_config *config;
unsigned char sid[TLS_MAX_SESSION_ID_LENGTH];
if ((config = calloc(1, sizeof(*config))) == NULL)
return (NULL);
if ((config->keypair = tls_keypair_new()) == NULL)
goto err;
config->refcount = 1;
config->session_fd = -1;
/*
* Default configuration.
*/
if (tls_config_set_dheparams(config, "none") != 0)
goto err;
if (tls_config_set_ecdhecurves(config, "default") != 0)
goto err;
if (tls_config_set_ciphers(config, "secure") != 0)
goto err;
if (tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT) != 0)
goto err;
if (tls_config_set_verify_depth(config, 6) != 0)
goto err;
/*
* Set session ID context to a random value. For the simple case
* of a single process server this is good enough. For multiprocess
* servers the session ID needs to be set by the caller.
*/
arc4random_buf(sid, sizeof(sid));
if (tls_config_set_session_id(config, sid, sizeof(sid)) != 0)
goto err;
config->ticket_keyrev = arc4random();
config->ticket_autorekey = 1;
tls_config_prefer_ciphers_server(config);
tls_config_verify(config);
return (config);
err:
tls_config_free(config);
return (NULL);
}