Returns a list of EC Point Formats supported, only 0x00 (Uncompressed) is supported at the moment.
Returns a list of ciphers we are willing to negotiate, in order of preference.
Returns a list of hash algorithms we are willing to use for signatures, in order of preference.
Returns a list of MAC algorithms we are willing to use.
Returns a list of key exchange algorithms we are willing to use, in order of preference. Allowed values: DH, empty string (representing RSA using server certificate key)
Returns a list of signature algorithms we are willing to use, in order of preference. Allowed values RSA and DSA.
Return list of ECC curves we are willing to use in order of preference
Returns a list of compression algorithms we are willing to use, in order of preference. Allowed values any value of Compression_Method.
Choose an elliptic curve to use
Attempt to negotiate the use of the heartbeat extension
Allow renegotiation even if the counterparty doesn't support the secure renegotiation extension.
The protocol dictates that the first 32 bits of the random field are the current time in seconds. However this allows client fingerprinting attacks. Set to false to disable, in which case random bytes will be used instead.
Allow servers to initiate a new handshake
Return the group to use for ephemeral Diffie-Hellman key agreement
Return the minimum DH group size we're willing to use
If this function returns false, unknown SRP/PSK identifiers will be rejected with an unknown_psk_identifier alert as soon as the non-existence is identified. Otherwise, a false identifier value will be used and the protocol allowed to proceed, causing the handshake to eventually fail without revealing that the username does not exist on this system.
Return the allowed lifetime of a session ticket. If 0, session tickets do not expire until the session ticket key rolls over. Expired session tickets cannot be used to resume a session.
Returns the more recent protocol version we are willing to use, for either TLS or DTLS depending on datagram param. Shouldn't ever need to override this unless you want to allow a user to disable use of TLS v1.2 (which is *not recommended*)
When offering this version, should we send a fallback SCSV? Default returns true iff version is the latest version the policy allows, exists to allow override in case of interop problems.
Allows policy to reject any ciphersuites which are undesirable for whatever reason without having to reimplement ciphersuite_list
Apply GREASE to TLS extensibility draft-davidben-tls-grease-01. This will add 2 extensions of distinct types 0x?a?a (1 empty at the beginning and 1 with 1 byte at the end) It will also add an invalid ciphersuite of type 0x?a?a and an invalid ECC curve of type 0x?a?a These are purposely invalid and the client will fail and close the connection if the server accepts them
Return allowed ciphersuites, in order of preference
NSA Suite B 128-bit security level (see @rfc 6460)