diff options
| author | David Benjamin <davidben@google.com> | 2016-09-03 04:35:25 +0300 |
|---|---|---|
| committer | CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> | 2016-09-24 00:11:15 +0300 |
| commit | 65ac997f20cb83eb6c7edd6712be63fe1d0f466f (patch) | |
| tree | 0e6e9e307027dcb6c2f80a8a55c21885e101a13e /include/openssl | |
| parent | 0c0a94d07bedf2db47bcc93dacd1e33e6b17855e (diff) | |
Implement draft-davidben-tls-grease-01.
This GREASEs cipher suites, groups, and extensions. For now, we'll
always place them in a hard-coded position. We can experiment with more
interesting strategies later.
If we add new ciphers and curves, presumably we prefer them over current
ones, so place GREASE values at the front. This prevents implementations
from parsing only the first value and ignoring the rest.
Add two new extensions, one empty and one non-empty. Place the empty one
in front (IBM WebSphere can't handle trailing empty extensions) and the
non-empty one at the end.
Change-Id: If2e009936bc298cedf2a7a593ce7d5d5ddbb841a
Reviewed-on: https://boringssl-review.googlesource.com/11241
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Diffstat (limited to 'include/openssl')
| -rw-r--r-- | include/openssl/ssl.h | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 8454c307..3cf4e03b 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -3101,6 +3101,10 @@ OPENSSL_EXPORT const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl); OPENSSL_EXPORT void SSL_CTX_set_retain_only_sha256_of_client_certs(SSL_CTX *ctx, int enable); +/* SSL_CTX_set_grease_enabled configures whether client sockets on |ctx| should + * enable GREASE. See draft-davidben-tls-grease-01. */ +OPENSSL_EXPORT void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled); + /* Deprecated functions. */ @@ -3992,11 +3996,15 @@ struct ssl_ctx_st { /* If true, a client will request certificate timestamps. */ unsigned signed_cert_timestamps_enabled:1; - /* tlsext_channel_id_enabled is copied from the |SSL_CTX|. For a server, - * means that we'll accept Channel IDs from clients. For a client, means that - * we'll advertise support. */ + /* tlsext_channel_id_enabled is one if Channel ID is enabled and zero + * otherwise. For a server, means that we'll accept Channel IDs from clients. + * For a client, means that we'll advertise support. */ unsigned tlsext_channel_id_enabled:1; + /* grease_enabled is one if draft-davidben-tls-grease-01 is enabled and zero + * otherwise. */ + unsigned grease_enabled:1; + /* extra_certs is a dummy value included for compatibility. * TODO(agl): remove once node.js no longer references this. */ STACK_OF(X509)* extra_certs; |