unsigned int (*record_minus)(record_t *buf, void *ptr, unsigned int size);
bool invalid_hb_used; //!< Whether heartbleed attack was detected.
+ bool connected; //!< whether the outgoing socket is connected
/*
* Framed-MTU attribute in RADIUS, if present, can also be used to set this
#ifdef ENABLE_OPENSSL_VERSION_CHECK
int tls_global_version_check(char const *acknowledged);
#endif
+
+int tls_error_log(REQUEST *request, char const *msg, ...) CC_HINT(format (printf, 2, 3));
+int tls_error_io_log(REQUEST *request, tls_session_t *session, int ret, char const *msg, ...)
+ CC_HINT(format (printf, 4, 5));
+
void tls_global_cleanup(void);
tls_session_t *tls_new_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, REQUEST *request, bool client_cert);
tls_session_t *tls_new_client_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, int fd);
fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs);
fr_tls_server_conf_t *tls_client_conf_parse(CONF_SECTION *cs);
+fr_tls_server_conf_t *tls_server_conf_alloc(TALLOC_CTX *ctx);
SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client);
int tls_handshake_recv(REQUEST *, tls_session_t *ssn);
int tls_handshake_send(REQUEST *, tls_session_t *ssn);
char const *ca_file;
char const *dh_file;
char const *rsa_file;
- bool rsa_key;
- bool dh_key;
- uint32_t rsa_key_length;
- uint32_t dh_key_length;
uint32_t verify_depth;
bool file_type;
bool include_length;
+ bool auto_chain;
+ bool disable_single_dh_use;
bool disable_tlsv1;
bool disable_tlsv1_1;
bool disable_tlsv1_2;
/*
- * Always < 4096 (due to radius limit), 0 by default = 2048
+ * Always < 4096 (due to radius limit), 0 by default = 1024
*/
uint32_t fragment_size;
bool check_crl;
bool allow_expired_crl;
char const *check_cert_cn;
char const *cipher_list;
+ bool cipher_server_preference;
char const *check_cert_issuer;
bool session_cache_enable;
char session_context_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
time_t session_last_flushed;
+ bool verify_skip_if_ocsp_ok;
char const *verify_tmp_dir;
char const *verify_client_cert_cmd;
bool require_client_cert;