Botan  2.1.0
Crypto and TLS for C++11
tls_policy.h
Go to the documentation of this file.
1 /*
2 * Hooks for application level policies on TLS connections
3 * (C) 2004-2006,2013 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #ifndef BOTAN_TLS_POLICY_H__
9 #define BOTAN_TLS_POLICY_H__
10 
11 #include <botan/tls_version.h>
12 #include <botan/tls_ciphersuite.h>
13 #include <botan/x509cert.h>
14 #include <botan/dl_group.h>
15 #include <vector>
16 #include <sstream>
17 
18 namespace Botan {
19 
20 namespace TLS {
21 
22 /**
23 * TLS Policy Base Class
24 * Inherit and overload as desired to suit local policy concerns
25 */
26 class BOTAN_DLL Policy
27  {
28  public:
29 
30  /**
31  * Returns a list of ciphers we are willing to negotiate, in
32  * order of preference.
33  */
34  virtual std::vector<std::string> allowed_ciphers() const;
35 
36  /**
37  * Returns a list of hash algorithms we are willing to use for
38  * signatures, in order of preference.
39  */
40  virtual std::vector<std::string> allowed_signature_hashes() const;
41 
42  /**
43  * Returns a list of MAC algorithms we are willing to use.
44  */
45  virtual std::vector<std::string> allowed_macs() const;
46 
47  /**
48  * Returns a list of key exchange algorithms we are willing to
49  * use, in order of preference. Allowed values: DH, empty string
50  * (representing RSA using server certificate key)
51  */
52  virtual std::vector<std::string> allowed_key_exchange_methods() const;
53 
54  /**
55  * Returns a list of signature algorithms we are willing to
56  * use, in order of preference. Allowed values RSA and DSA.
57  */
58  virtual std::vector<std::string> allowed_signature_methods() const;
59 
60  /**
61  * The minimum signature strength we will accept
62  * Returning 80 allows RSA 1024 and SHA-1. Values larger than 80 disable SHA-1 support.
63  * Returning 110 allows RSA 2048.
64  * Return 128 to force ECC (P-256) or large (~3000 bit) RSA keys.
65  * Default is 110
66  */
67  virtual size_t minimum_signature_strength() const;
68 
69  /**
70  * Return if cert revocation info (CRL/OCSP) is required
71  * If true, validation will fail unless a valid CRL or OCSP response
72  * was examined.
73  */
74  virtual bool require_cert_revocation_info() const;
75 
76  bool allowed_signature_method(const std::string& sig_method) const;
77 
78  /**
79  * Return list of ECC curves we are willing to use in order of preference
80  */
81  virtual std::vector<std::string> allowed_ecc_curves() const;
82 
83  bool allowed_ecc_curve(const std::string& curve) const;
84 
85  /**
86  * Request that ECC curve points are sent compressed
87  */
88  virtual bool use_ecc_point_compression() const;
89 
90  /**
91  * Returns a list of compression algorithms we are willing to use,
92  * in order of preference. Allowed values any value of
93  * Compression_Method.
94  *
95  * @note Compression is not currently supported
96  */
97  virtual std::vector<uint8_t> compression() const;
98 
99  /**
100  * Choose an elliptic curve to use
101  */
102  virtual std::string choose_curve(const std::vector<std::string>& curve_names) const;
103 
104  /**
105  * Allow renegotiation even if the counterparty doesn't
106  * support the secure renegotiation extension.
107  *
108  * @warning Changing this to true exposes you to injected
109  * plaintext attacks. Read RFC 5746 for background.
110  */
111  virtual bool allow_insecure_renegotiation() const;
112 
113  /**
114  * The protocol dictates that the first 32 bits of the random
115  * field are the current time in seconds. However this allows
116  * client fingerprinting attacks. Set to false to disable, in
117  * which case random bytes will be used instead.
118  */
119  virtual bool include_time_in_hello_random() const;
120 
121  /**
122  * Allow servers to initiate a new handshake
123  */
124  virtual bool allow_server_initiated_renegotiation() const;
125 
126  /**
127  * Allow TLS v1.0
128  */
129  virtual bool allow_tls10() const;
130 
131  /**
132  * Allow TLS v1.1
133  */
134  virtual bool allow_tls11() const;
135 
136  /**
137  * Allow TLS v1.2
138  */
139  virtual bool allow_tls12() const;
140 
141  /**
142  * Allow DTLS v1.0
143  */
144  virtual bool allow_dtls10() const;
145 
146  /**
147  * Allow DTLS v1.2
148  */
149  virtual bool allow_dtls12() const;
150 
151  virtual std::string dh_group() const;
152 
153  /**
154  * Return the minimum DH group size we're willing to use
155  * Default is currently 1024 (insecure), should be 2048
156  */
157  virtual size_t minimum_dh_group_size() const;
158 
159  /**
160  * For ECDSA authenticated ciphersuites, the smallest key size the
161  * client will accept.
162  * This policy is currently only enforced on the server by the client.
163  */
164  virtual size_t minimum_ecdsa_group_size() const;
165 
166  /**
167  * Return the minimum ECDH group size we're willing to use
168  * for key exchange
169  *
170  * Default 255, allowing x25519 and larger
171  * x25519 is the smallest curve we will negotiate
172  * P-521 is the largest
173  */
174  virtual size_t minimum_ecdh_group_size() const;
175 
176  /**
177  * Return the minimum bit size we're willing to accept for RSA
178  * key exchange or server signatures.
179  *
180  * It does not place any requirements on the size of any RSA signature(s)
181  * which were used to check the server certificate. This is only
182  * concerned with the server's public key.
183  *
184  * Default is 2048 which is smallest RSA key size still secure
185  * for medium term security.
186  */
187  virtual size_t minimum_rsa_bits() const;
188 
189  /**
190  * Minimum DSA group size, default 2048 bits
191  */
192  virtual size_t minimum_dsa_group_size() const;
193 
194  /**
195  * Throw an exception if you don't like the peer's key.
196  * Default impl checks the key size against minimum_rsa_bits, minimum_ecdsa_group_size,
197  * or minimum_ecdh_group_size depending on the key's type.
198  * Override if you'd like to perform some other kind of test on
199  * (or logging of) the peer's keys.
200  */
201  virtual void check_peer_key_acceptable(const Public_Key& public_key) const;
202 
203  /**
204  * If this function returns false, unknown SRP/PSK identifiers
205  * will be rejected with an unknown_psk_identifier alert as soon
206  * as the non-existence is identified. Otherwise, a false
207  * identifier value will be used and the protocol allowed to
208  * proceed, causing the handshake to eventually fail without
209  * revealing that the username does not exist on this system.
210  */
211  virtual bool hide_unknown_users() const;
212 
213  /**
214  * Return the allowed lifetime of a session ticket. If 0, session
215  * tickets do not expire until the session ticket key rolls over.
216  * Expired session tickets cannot be used to resume a session.
217  */
218  virtual uint32_t session_ticket_lifetime() const;
219 
220  /**
221  * If this returns a non-empty vector, and DTLS is negotiated,
222  * then we will also attempt to negotiate the SRTP extension from
223  * RFC 5764 using the returned values as the profile ids.
224  */
225  virtual std::vector<uint16_t> srtp_profiles() const;
226 
227  /**
228  * @return true if and only if we are willing to accept this version
229  * Default accepts TLS v1.0 and later or DTLS v1.2 or later.
230  */
231  virtual bool acceptable_protocol_version(Protocol_Version version) const;
232 
233  /**
234  * Returns the more recent protocol version we are willing to
235  * use, for either TLS or DTLS depending on datagram param.
236  * Shouldn't ever need to override this unless you want to allow
237  * a user to disable use of TLS v1.2 (which is *not recommended*)
238  */
239  virtual Protocol_Version latest_supported_version(bool datagram) const;
240 
241  /**
242  * When offering this version, should we send a fallback SCSV?
243  * Default returns true iff version is not the latest version the
244  * policy allows, exists to allow override in case of interop problems.
245  */
246  virtual bool send_fallback_scsv(Protocol_Version version) const;
247 
248  /**
249  * Allows policy to reject any ciphersuites which are undesirable
250  * for whatever reason without having to reimplement ciphersuite_list
251  */
252  virtual bool acceptable_ciphersuite(const Ciphersuite& suite) const;
253 
254  /**
255  * @return true if servers should choose the ciphersuite matching
256  * their highest preference, rather than the clients.
257  * Has no effect on client side.
258  */
259  virtual bool server_uses_own_ciphersuite_preferences() const;
260 
261  /**
262  * Indicates whether the encrypt-then-MAC extension should be negotiated
263  * (RFC 7366)
264  */
265  virtual bool negotiate_encrypt_then_mac() const;
266 
267  /**
268  * Return allowed ciphersuites, in order of preference
269  */
270  virtual std::vector<uint16_t> ciphersuite_list(Protocol_Version version,
271  bool have_srp) const;
272 
273  /**
274  * @return the default MTU for DTLS
275  */
276  virtual size_t dtls_default_mtu() const;
277 
278  /**
279  * @return the initial timeout for DTLS
280  */
281  virtual size_t dtls_initial_timeout() const;
282 
283  /**
284  * @return the maximum timeout for DTLS
285  */
286  virtual size_t dtls_maximum_timeout() const;
287 
288  /**
289  * Convert this policy to a printable format.
290  * @param o stream to be printed to
291  */
292  virtual void print(std::ostream& o) const;
293 
294  /**
295  * Convert this policy to a printable format.
296  * Same as calling `print` on a ostringstream and reading o.str()
297  */
298  std::string to_string() const;
299 
300  virtual ~Policy() = default;
301  };
302 
303 /**
304 * NSA Suite B 128-bit security level (RFC 6460)
305 */
306 class BOTAN_DLL NSA_Suite_B_128 : public Policy
307  {
308  public:
309  std::vector<std::string> allowed_ciphers() const override
310  { return std::vector<std::string>({"AES-128/GCM"}); }
311 
312  std::vector<std::string> allowed_signature_hashes() const override
313  { return std::vector<std::string>({"SHA-256"}); }
314 
315  std::vector<std::string> allowed_macs() const override
316  { return std::vector<std::string>({"AEAD"}); }
317 
318  std::vector<std::string> allowed_key_exchange_methods() const override
319  { return std::vector<std::string>({"ECDH"}); }
320 
321  std::vector<std::string> allowed_signature_methods() const override
322  { return std::vector<std::string>({"ECDSA"}); }
323 
324  std::vector<std::string> allowed_ecc_curves() const override
325  { return std::vector<std::string>({"secp256r1"}); }
326 
327  size_t minimum_signature_strength() const override { return 128; }
328 
329  bool allow_tls10() const override { return false; }
330  bool allow_tls11() const override { return false; }
331  bool allow_tls12() const override { return true; }
332  bool allow_dtls10() const override { return false; }
333  bool allow_dtls12() const override { return false; }
334  };
335 
336 /**
337 * BSI TR-02102-2 Policy
338 */
339 class BOTAN_DLL BSI_TR_02102_2 : public Policy
340  {
341  public:
342  std::vector<std::string> allowed_ciphers() const override
343  {
344  return std::vector<std::string>({"AES-256/GCM", "AES-128/GCM", "AES-256", "AES-128" });
345  }
346 
347  std::vector<std::string> allowed_signature_hashes() const override
348  {
349  return std::vector<std::string>({"SHA-384", "SHA-256"});
350  }
351 
352  std::vector<std::string> allowed_macs() const override
353  {
354  return std::vector<std::string>({"AEAD", "SHA-384", "SHA-256"});
355  }
356 
357  std::vector<std::string> allowed_key_exchange_methods() const override
358  {
359  return std::vector<std::string>({"ECDH", "DH", "PSK", "ECDHE_PSK", "DHE_PSK"});
360  }
361 
362  std::vector<std::string> allowed_signature_methods() const override
363  {
364  return std::vector<std::string>({"ECDSA", "RSA", "DSA"});
365  }
366 
367  std::vector<std::string> allowed_ecc_curves() const override
368  {
369  return std::vector<std::string>({"brainpool512r1", "brainpool384r1", "brainpool256r1", "secp384r1", "secp256r1"});
370  }
371 
372  bool allow_insecure_renegotiation() const override { return false; }
373  bool allow_server_initiated_renegotiation() const override { return true; }
374  bool server_uses_own_ciphersuite_preferences() const override { return true; }
375  bool negotiate_encrypt_then_mac() const override { return true; }
376 
377  size_t minimum_rsa_bits() const override { return 2000; }
378  size_t minimum_dh_group_size() const override { return 2000; }
379  size_t minimum_dsa_group_size() const override { return 2000; }
380 
381  size_t minimum_ecdh_group_size() const override { return 250; }
382  size_t minimum_ecdsa_group_size() const override { return 250; }
383 
384  bool allow_tls10() const override { return false; }
385  bool allow_tls11() const override { return false; }
386  bool allow_tls12() const override { return true; }
387  bool allow_dtls10() const override { return false; }
388  bool allow_dtls12() const override { return false; }
389  };
390 
391 /**
392 * Policy for DTLS. We require DTLS v1.2 and an AEAD mode.
393 */
394 class BOTAN_DLL Datagram_Policy : public Policy
395  {
396  public:
397  std::vector<std::string> allowed_macs() const override
398  { return std::vector<std::string>({"AEAD"}); }
399 
400  bool allow_tls10() const override { return false; }
401  bool allow_tls11() const override { return false; }
402  bool allow_tls12() const override { return false; }
403  bool allow_dtls10() const override { return false; }
404  bool allow_dtls12() const override { return true; }
405  };
406 
407 /*
408 * This policy requires a secure version of TLS and disables all insecure
409 * algorithms. It is compatible with other botan TLSes (including those using the
410 * default policy) and with many other recent implementations. It is a great idea
411 * to use if you control both sides of the protocol and don't have to worry
412 * about ancient and/or bizarre TLS implementations.
413 */
414 class BOTAN_DLL Strict_Policy : public Policy
415  {
416  public:
417  std::vector<std::string> allowed_ciphers() const override;
418 
419  std::vector<std::string> allowed_signature_hashes() const override;
420 
421  std::vector<std::string> allowed_macs() const override;
422 
423  std::vector<std::string> allowed_key_exchange_methods() const override;
424 
425  bool allow_tls10() const override;
426  bool allow_tls11() const override;
427  bool allow_tls12() const override;
428  bool allow_dtls10() const override;
429  bool allow_dtls12() const override;
430  };
431 
432 class BOTAN_DLL Text_Policy : public Policy
433  {
434  public:
435 
436  std::vector<std::string> allowed_ciphers() const override
437  { return get_list("ciphers", Policy::allowed_ciphers()); }
438 
439  std::vector<std::string> allowed_signature_hashes() const override
440  { return get_list("signature_hashes", Policy::allowed_signature_hashes()); }
441 
442  std::vector<std::string> allowed_macs() const override
443  { return get_list("macs", Policy::allowed_macs()); }
444 
445  std::vector<std::string> allowed_key_exchange_methods() const override
446  { return get_list("key_exchange_methods", Policy::allowed_key_exchange_methods()); }
447 
448  std::vector<std::string> allowed_signature_methods() const override
449  { return get_list("signature_methods", Policy::allowed_signature_methods()); }
450 
451  std::vector<std::string> allowed_ecc_curves() const override
452  { return get_list("ecc_curves", Policy::allowed_ecc_curves()); }
453 
454  bool use_ecc_point_compression() const override
455  { return get_bool("use_ecc_point_compression", Policy::use_ecc_point_compression()); }
456 
457  bool allow_tls10() const override
458  { return get_bool("allow_tls10", Policy::allow_tls10()); }
459 
460  bool allow_tls11() const override
461  { return get_bool("allow_tls11", Policy::allow_tls11()); }
462 
463  bool allow_tls12() const override
464  { return get_bool("allow_tls12", Policy::allow_tls12()); }
465 
466  bool allow_dtls10() const override
467  { return get_bool("allow_dtls10", Policy::allow_dtls10()); }
468 
469  bool allow_dtls12() const override
470  { return get_bool("allow_dtls12", Policy::allow_dtls12()); }
471 
472  bool allow_insecure_renegotiation() const override
473  { return get_bool("allow_insecure_renegotiation", Policy::allow_insecure_renegotiation()); }
474 
475  bool include_time_in_hello_random() const override
476  { return get_bool("include_time_in_hello_random", Policy::include_time_in_hello_random()); }
477 
479  { return get_bool("allow_server_initiated_renegotiation", Policy::allow_server_initiated_renegotiation()); }
480 
482  { return get_bool("server_uses_own_ciphersuite_preferences", Policy::server_uses_own_ciphersuite_preferences()); }
483 
484  bool negotiate_encrypt_then_mac() const override
485  { return get_bool("negotiate_encrypt_then_mac", Policy::negotiate_encrypt_then_mac()); }
486 
487  std::string dh_group() const override
488  { return get_str("dh_group", Policy::dh_group()); }
489 
490  size_t minimum_ecdh_group_size() const override
491  { return get_len("minimum_ecdh_group_size", Policy::minimum_ecdh_group_size()); }
492 
493  size_t minimum_ecdsa_group_size() const override
494  { return get_len("minimum_ecdsa_group_size", Policy::minimum_ecdsa_group_size()); }
495 
496  size_t minimum_dh_group_size() const override
497  { return get_len("minimum_dh_group_size", Policy::minimum_dh_group_size()); }
498 
499  size_t minimum_rsa_bits() const override
500  { return get_len("minimum_rsa_bits", Policy::minimum_rsa_bits()); }
501 
502  size_t minimum_signature_strength() const override
503  { return get_len("minimum_signature_strength", Policy::minimum_signature_strength()); }
504 
505  bool hide_unknown_users() const override
506  { return get_bool("hide_unknown_users", Policy::hide_unknown_users()); }
507 
508  uint32_t session_ticket_lifetime() const override
509  { return static_cast<uint32_t>(get_len("session_ticket_lifetime", Policy::session_ticket_lifetime())); }
510 
511  bool send_fallback_scsv(Protocol_Version version) const override
512  { return get_bool("send_fallback_scsv", false) ? Policy::send_fallback_scsv(version) : false; }
513 
514  std::vector<uint16_t> srtp_profiles() const override
515  {
516  std::vector<uint16_t> r;
517  for(auto&& p : get_list("srtp_profiles", std::vector<std::string>()))
518  {
519  r.push_back(to_u32bit(p));
520  }
521  return r;
522  }
523 
524  void set(const std::string& k, const std::string& v) { m_kv[k] = v; }
525 
526  explicit Text_Policy(const std::string& s)
527  {
528  std::istringstream iss(s);
529  m_kv = read_cfg(iss);
530  }
531 
532  explicit Text_Policy(std::istream& in) : m_kv(read_cfg(in))
533  {}
534 
535  private:
536 
537  std::vector<std::string> get_list(const std::string& key,
538  const std::vector<std::string>& def) const
539  {
540  const std::string v = get_str(key);
541 
542  if(v.empty())
543  return def;
544 
545  return split_on(v, ' ');
546  }
547 
548  size_t get_len(const std::string& key, size_t def) const
549  {
550  const std::string v = get_str(key);
551 
552  if(v.empty())
553  return def;
554 
555  return to_u32bit(v);
556  }
557 
558  bool get_bool(const std::string& key, bool def) const
559  {
560  const std::string v = get_str(key);
561 
562  if(v.empty())
563  return def;
564 
565  if(v == "true" || v == "True")
566  return true;
567  else if(v == "false" || v == "False")
568  return false;
569  else
570  throw Exception("Invalid boolean '" + v + "'");
571  }
572 
573  std::string get_str(const std::string& key, const std::string& def = "") const
574  {
575  auto i = m_kv.find(key);
576  if(i == m_kv.end())
577  return def;
578 
579  return i->second;
580  }
581 
582  std::map<std::string, std::string> m_kv;
583  };
584 
585 }
586 
587 }
588 
589 #endif
uint32_t session_ticket_lifetime() const override
Definition: tls_policy.h:508
uint32_t to_u32bit(const std::string &str)
Definition: parsing.cpp:18
virtual std::vector< std::string > allowed_ciphers() const
Definition: tls_policy.cpp:19
virtual size_t minimum_dh_group_size() const
Definition: tls_policy.cpp:141
bool allow_tls10() const override
Definition: tls_policy.h:400
virtual bool allow_insecure_renegotiation() const
Definition: tls_policy.cpp:270
bool allow_tls12() const override
Definition: tls_policy.h:386
virtual std::vector< std::string > allowed_ecc_curves() const
Definition: tls_policy.cpp:96
bool allow_tls11() const override
Definition: tls_policy.h:460
bool use_ecc_point_compression() const override
Definition: tls_policy.h:454
bool negotiate_encrypt_then_mac() const override
Definition: tls_policy.h:484
bool allow_dtls10() const override
Definition: tls_policy.h:332
std::vector< std::string > allowed_signature_hashes() const override
Definition: tls_policy.h:439
std::string dh_group() const override
Definition: tls_policy.h:487
size_t minimum_rsa_bits() const override
Definition: tls_policy.h:499
virtual bool send_fallback_scsv(Protocol_Version version) const
Definition: tls_policy.cpp:236
virtual std::vector< std::string > allowed_signature_methods() const
Definition: tls_policy.cpp:81
virtual bool server_uses_own_ciphersuite_preferences() const
Definition: tls_policy.cpp:278
std::vector< std::string > allowed_signature_hashes() const override
Definition: tls_policy.h:312
size_t minimum_ecdsa_group_size() const override
Definition: tls_policy.h:493
std::vector< std::string > allowed_key_exchange_methods() const override
Definition: tls_policy.h:445
bool allow_tls11() const override
Definition: tls_policy.h:401
std::vector< std::string > split_on(const std::string &str, char delim)
Definition: parsing.cpp:138
bool server_uses_own_ciphersuite_preferences() const override
Definition: tls_policy.h:481
std::vector< std::string > allowed_macs() const override
Definition: tls_policy.h:397
bool allow_tls12() const override
Definition: tls_policy.h:402
bool allow_tls12() const override
Definition: tls_policy.h:463
size_t minimum_dsa_group_size() const override
Definition: tls_policy.h:379
virtual size_t minimum_ecdh_group_size() const
Definition: tls_policy.cpp:152
bool send_fallback_scsv(Protocol_Version version) const override
Definition: tls_policy.h:511
virtual bool hide_unknown_users() const
Definition: tls_policy.cpp:277
size_t minimum_signature_strength() const override
Definition: tls_policy.h:327
std::vector< std::string > allowed_ecc_curves() const override
Definition: tls_policy.h:367
bool allow_dtls10() const override
Definition: tls_policy.h:387
std::vector< std::string > allowed_macs() const override
Definition: tls_policy.h:315
std::map< std::string, std::string > BOTAN_DLL read_cfg(std::istream &is)
Definition: read_cfg.cpp:28
Text_Policy(std::istream &in)
Definition: tls_policy.h:532
std::vector< std::string > allowed_ciphers() const override
Definition: tls_policy.h:436
bool allow_tls11() const override
Definition: tls_policy.h:385
std::vector< std::string > allowed_signature_methods() const override
Definition: tls_policy.h:321
std::vector< std::string > allowed_ecc_curves() const override
Definition: tls_policy.h:451
virtual std::string dh_group() const
Definition: tls_policy.cpp:135
virtual bool allow_server_initiated_renegotiation() const
Definition: tls_policy.cpp:269
virtual size_t minimum_ecdsa_group_size() const
Definition: tls_policy.cpp:146
std::vector< std::string > allowed_macs() const override
Definition: tls_policy.h:442
bool allow_tls10() const override
Definition: tls_policy.h:329
bool allow_dtls12() const override
Definition: tls_policy.h:404
virtual std::vector< std::string > allowed_signature_hashes() const
Definition: tls_policy.cpp:42
std::vector< std::string > allowed_ecc_curves() const override
Definition: tls_policy.h:324
virtual size_t minimum_rsa_bits() const
Definition: tls_policy.cpp:168
bool allow_server_initiated_renegotiation() const override
Definition: tls_policy.h:478
bool allow_server_initiated_renegotiation() const override
Definition: tls_policy.h:373
bool hide_unknown_users() const override
Definition: tls_policy.h:505
size_t minimum_ecdh_group_size() const override
Definition: tls_policy.h:381
std::vector< uint16_t > srtp_profiles() const override
Definition: tls_policy.h:514
size_t minimum_dh_group_size() const override
Definition: tls_policy.h:378
bool include_time_in_hello_random() const override
Definition: tls_policy.h:475
Definition: alg_id.cpp:13
bool allow_dtls10() const override
Definition: tls_policy.h:403
Text_Policy(const std::string &s)
Definition: tls_policy.h:526
bool allow_insecure_renegotiation() const override
Definition: tls_policy.h:472
bool allow_tls10() const override
Definition: tls_policy.h:384
virtual bool use_ecc_point_compression() const
Definition: tls_policy.cpp:116
bool allow_dtls10() const override
Definition: tls_policy.h:466
void set(const std::string &k, const std::string &v)
Definition: tls_policy.h:524
std::vector< std::string > allowed_macs() const override
Definition: tls_policy.h:352
std::vector< std::string > allowed_ciphers() const override
Definition: tls_policy.h:309
virtual uint32_t session_ticket_lifetime() const
Definition: tls_policy.cpp:231
std::vector< std::string > allowed_key_exchange_methods() const override
Definition: tls_policy.h:318
std::string to_string(const secure_vector< uint8_t > &bytes)
Definition: stl_util.h:25
size_t minimum_rsa_bits() const override
Definition: tls_policy.h:377
bool allow_tls10() const override
Definition: tls_policy.h:457
bool allow_tls12() const override
Definition: tls_policy.h:331
virtual bool allow_tls10() const
Definition: tls_policy.cpp:271
size_t minimum_ecdh_group_size() const override
Definition: tls_policy.h:490
bool server_uses_own_ciphersuite_preferences() const override
Definition: tls_policy.h:374
std::vector< std::string > allowed_signature_hashes() const override
Definition: tls_policy.h:347
size_t minimum_dh_group_size() const override
Definition: tls_policy.h:496
bool allow_dtls12() const override
Definition: tls_policy.h:388
bool allow_insecure_renegotiation() const override
Definition: tls_policy.h:372
std::vector< std::string > allowed_signature_methods() const override
Definition: tls_policy.h:362
size_t minimum_signature_strength() const override
Definition: tls_policy.h:502
bool allow_dtls12() const override
Definition: tls_policy.h:469
virtual size_t minimum_signature_strength() const
Definition: tls_policy.cpp:158
virtual bool allow_dtls12() const
Definition: tls_policy.cpp:275
virtual bool allow_dtls10() const
Definition: tls_policy.cpp:274
virtual bool include_time_in_hello_random() const
Definition: tls_policy.cpp:276
std::vector< std::string > allowed_signature_methods() const override
Definition: tls_policy.h:448
bool allow_tls11() const override
Definition: tls_policy.h:330
bool negotiate_encrypt_then_mac() const override
Definition: tls_policy.h:375
virtual std::vector< std::string > allowed_key_exchange_methods() const
Definition: tls_policy.cpp:67
std::vector< std::string > allowed_ciphers() const override
Definition: tls_policy.h:342
size_t minimum_ecdsa_group_size() const override
Definition: tls_policy.h:382
std::vector< std::string > allowed_key_exchange_methods() const override
Definition: tls_policy.h:357
bool allow_dtls12() const override
Definition: tls_policy.h:333
virtual bool allow_tls11() const
Definition: tls_policy.cpp:272
virtual std::vector< std::string > allowed_macs() const
Definition: tls_policy.cpp:52
virtual bool negotiate_encrypt_then_mac() const
Definition: tls_policy.cpp:279
virtual bool allow_tls12() const
Definition: tls_policy.cpp:273