Ejemplo n.º 1
0
struct tls_config *
tls_config_new(void)
{
	struct tls_config *config;

	if ((config = calloc(1, sizeof(*config))) == NULL)
		return (NULL);

	/*
	 * Default configuration.
	 */
	if (tls_config_set_ca_file(config, _PATH_SSL_CA_FILE) != 0)
		goto err;
	if (tls_config_set_dheparams(config, "none") != 0)
		goto err;
	if (tls_config_set_ecdhecurve(config, "auto") != 0)
		goto err;
	if (tls_config_set_ciphers(config, "secure") != 0)
		goto err;

	tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT);
	tls_config_set_verify_depth(config, 6);
	
	tls_config_prefer_ciphers_server(config);

	tls_config_verify(config);

	return (config);

 err:
	tls_config_free(config);
	return (NULL);
}
Ejemplo n.º 2
0
struct tls_config *
tls_config_new_internal(void)
{
	struct tls_config *config;
	unsigned char sid[TLS_MAX_SESSION_ID_LENGTH];

	if ((config = calloc(1, sizeof(*config))) == NULL)
		return (NULL);

	if ((config->keypair = tls_keypair_new()) == NULL)
		goto err;

	config->refcount = 1;
	config->session_fd = -1;

	/*
	 * Default configuration.
	 */
	if (tls_config_set_dheparams(config, "none") != 0)
		goto err;
	if (tls_config_set_ecdhecurves(config, "default") != 0)
		goto err;
	if (tls_config_set_ciphers(config, "secure") != 0)
		goto err;

	if (tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT) != 0)
		goto err;
	if (tls_config_set_verify_depth(config, 6) != 0)
		goto err;

	/*
	 * Set session ID context to a random value.  For the simple case
	 * of a single process server this is good enough. For multiprocess
	 * servers the session ID needs to be set by the caller.
	 */
	arc4random_buf(sid, sizeof(sid));
	if (tls_config_set_session_id(config, sid, sizeof(sid)) != 0)
		goto err;
	config->ticket_keyrev = arc4random();
	config->ticket_autorekey = 1;

	tls_config_prefer_ciphers_server(config);

	tls_config_verify(config);

	return (config);

 err:
	tls_config_free(config);
	return (NULL);
}