struct tls_config * tls_config_new(void) { struct tls_config *config; if ((config = calloc(1, sizeof(*config))) == NULL) return (NULL); /* * Default configuration. */ if (tls_config_set_ca_file(config, _PATH_SSL_CA_FILE) != 0) goto err; if (tls_config_set_dheparams(config, "none") != 0) goto err; if (tls_config_set_ecdhecurve(config, "auto") != 0) goto err; if (tls_config_set_ciphers(config, "secure") != 0) goto err; tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT); tls_config_set_verify_depth(config, 6); tls_config_prefer_ciphers_server(config); tls_config_verify(config); return (config); err: tls_config_free(config); return (NULL); }
struct tls_config * tls_config_new_internal(void) { struct tls_config *config; unsigned char sid[TLS_MAX_SESSION_ID_LENGTH]; if ((config = calloc(1, sizeof(*config))) == NULL) return (NULL); if ((config->keypair = tls_keypair_new()) == NULL) goto err; config->refcount = 1; config->session_fd = -1; /* * Default configuration. */ if (tls_config_set_dheparams(config, "none") != 0) goto err; if (tls_config_set_ecdhecurves(config, "default") != 0) goto err; if (tls_config_set_ciphers(config, "secure") != 0) goto err; if (tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT) != 0) goto err; if (tls_config_set_verify_depth(config, 6) != 0) goto err; /* * Set session ID context to a random value. For the simple case * of a single process server this is good enough. For multiprocess * servers the session ID needs to be set by the caller. */ arc4random_buf(sid, sizeof(sid)); if (tls_config_set_session_id(config, sid, sizeof(sid)) != 0) goto err; config->ticket_keyrev = arc4random(); config->ticket_autorekey = 1; tls_config_prefer_ciphers_server(config); tls_config_verify(config); return (config); err: tls_config_free(config); return (NULL); }