botan v1.13.4 (2023-03-01T00:35:38Z)

TLSPolicy

botan tls policy

TLSPolicy Base Class Inherit and overload as desired to suit local policy concerns

static if(BOTAN_HAS_TLS)
class TLSPolicy {
Vector!HandshakeExtensionType enabledExtensions();
Vector!ubyte ecPointFormats();
Vector!string allowedCiphers();
Vector!string allowedSignatureHashes();
Vector!string allowedMacs();
Vector!string allowedKeyExchangeMethods();
Vector!string allowedSignatureMethods();
Vector!string allowedEccCurves();
Vector!ubyte compression();
string chooseCurve(Vector!string curve_names);
bool negotiateHeartbeatSupport();
bool allowInsecureRenegotiation();
bool includeTimeInHelloRandom();
bool allowServerInitiatedRenegotiation();
DLGroup dhGroup();
size_t minimumDhGroupSize();
bool hideUnknownUsers();
Duration sessionTicketLifetime();
bool acceptableProtocolVersion(TLSProtocolVersion _version);
TLSProtocolVersion latestSupportedVersion(bool datagram);
bool sendFallbackSCSV(TLSProtocolVersion _version);
bool acceptableCiphersuite(TLSCiphersuite );
bool allowClientHelloGrease();
bool serverUsesOwnCiphersuitePreferences();
Vector!ubyte signatureAlgorithms();
Vector!ushort ciphersuiteList(TLSProtocolVersion _version, bool have_srp);
~this();
}

Destructor

~this
~this()
Undocumented in source.

Members

Functions

acceptableCiphersuite
bool acceptableCiphersuite(TLSCiphersuite )

Allows policy to reject any ciphersuites which are undesirable for whatever reason without having to reimplement ciphersuite_list

acceptableProtocolVersion
bool acceptableProtocolVersion(TLSProtocolVersion _version)
allowClientHelloGrease
bool allowClientHelloGrease()

Apply GREASE to TLS extensibility draft-davidben-tls-grease-01. This will add 2 extensions of distinct types 0x?a?a (1 empty at the beginning and 1 with 1 byte at the end) It will also add an invalid ciphersuite of type 0x?a?a and an invalid ECC curve of type 0x?a?a These are purposely invalid and the client will fail and close the connection if the server accepts them

allowInsecureRenegotiation
bool allowInsecureRenegotiation()

Allow renegotiation even if the counterparty doesn't support the secure renegotiation extension.

allowServerInitiatedRenegotiation
bool allowServerInitiatedRenegotiation()

Allow servers to initiate a new handshake

allowedCiphers
Vector!string allowedCiphers()

Returns a list of ciphers we are willing to negotiate, in order of preference.

allowedEccCurves
Vector!string allowedEccCurves()

Return list of ECC curves we are willing to use in order of preference

allowedKeyExchangeMethods
Vector!string allowedKeyExchangeMethods()

Returns a list of key exchange algorithms we are willing to use, in order of preference. Allowed values: DH, empty string (representing RSA using server certificate key)

allowedMacs
Vector!string allowedMacs()

Returns a list of MAC algorithms we are willing to use.

allowedSignatureHashes
Vector!string allowedSignatureHashes()

Returns a list of hash algorithms we are willing to use for signatures, in order of preference.

allowedSignatureMethods
Vector!string allowedSignatureMethods()

Returns a list of signature algorithms we are willing to use, in order of preference. Allowed values RSA and DSA.

chooseCurve
string chooseCurve(Vector!string curve_names)

Choose an elliptic curve to use

ciphersuiteList
Vector!ushort ciphersuiteList(TLSProtocolVersion _version, bool have_srp)

Return allowed ciphersuites, in order of preference

compression
Vector!ubyte compression()

Returns a list of compression algorithms we are willing to use, in order of preference. Allowed values any value of Compression_Method.

dhGroup
DLGroup dhGroup()

Return the group to use for ephemeral Diffie-Hellman key agreement

ecPointFormats
Vector!ubyte ecPointFormats()

Returns a list of EC Point Formats supported, only 0x00 (Uncompressed) is supported at the moment.

enabledExtensions
Vector!HandshakeExtensionType enabledExtensions()
Undocumented in source. Be warned that the author may not have intended to support it.
hideUnknownUsers
bool hideUnknownUsers()

If this function returns false, unknown SRP/PSK identifiers will be rejected with an unknown_psk_identifier alert as soon as the non-existence is identified. Otherwise, a false identifier value will be used and the protocol allowed to proceed, causing the handshake to eventually fail without revealing that the username does not exist on this system.

includeTimeInHelloRandom
bool includeTimeInHelloRandom()

The protocol dictates that the first 32 bits of the random field are the current time in seconds. However this allows client fingerprinting attacks. Set to false to disable, in which case random bytes will be used instead.

latestSupportedVersion
TLSProtocolVersion latestSupportedVersion(bool datagram)

Returns the more recent protocol version we are willing to use, for either TLS or DTLS depending on datagram param. Shouldn't ever need to override this unless you want to allow a user to disable use of TLS v1.2 (which is *not recommended*)

minimumDhGroupSize
size_t minimumDhGroupSize()

Return the minimum DH group size we're willing to use

negotiateHeartbeatSupport
bool negotiateHeartbeatSupport()

Attempt to negotiate the use of the heartbeat extension

sendFallbackSCSV
bool sendFallbackSCSV(TLSProtocolVersion _version)

When offering this version, should we send a fallback SCSV? Default returns true iff version is the latest version the policy allows, exists to allow override in case of interop problems.

serverUsesOwnCiphersuitePreferences
bool serverUsesOwnCiphersuitePreferences()
sessionTicketLifetime
Duration sessionTicketLifetime()

Return the allowed lifetime of a session ticket. If 0, session tickets do not expire until the session ticket key rolls over. Expired session tickets cannot be used to resume a session.

signatureAlgorithms
Vector!ubyte signatureAlgorithms()
Undocumented in source. Be warned that the author may not have intended to support it.

Meta

Source

See Implementation

botan tls policy classes

Page generated by adrdox