#include <cSSLConfig.h>

Inheritance diagram for GraySSL::cSSLConfig:

Public Member Functions
	cSSLConfig ()

	~cSSLConfig ()

bool	CheckOpts ()

void	SetCipherSuiteList (const SSL_CipherSuite_t *ciphersuites, SSL_VERSION_TYPE v)

void	put_AllowRC4 (bool bAllowRC4)

bool	IsECPGroupAllowed (const cECPGroup &grp) const

void	put_AuthMode (SSL_AUTHMODE_TYPE eAuthMode)

void	put_VerifyCert (IX509VerifyCert *pVerifyCert)

HRESULT	VerifyCrt (cX509Crt pCrt, const char pszPeerCN, OUT X509_Verify_t &eVerifyResults) const

void	put_RandomNoise (IRandomNoise *pRandom)

void	put_EncryptThenMac (bool etm)

void	put_UseExtendedMasterSecret (bool ems)

void	put_VersionMin (SSL_VERSION_TYPE v)

void	put_VersionMax (SSL_VERSION_TYPE v)

HRESULT	put_MaxFragLenCode (SSL_MAX_FRAG_TYPE eMaxFragLenCode)

void	put_UseTruncatedHMAC (bool bTruncatedHMAC)

void	put_RenoLegacyType (SSL_RENO_LEGACY_TYPE allow_legacy)

void	put_FallbackSCSV (bool fallback)

HRESULT	put_AlpnProtocols (const char **ppAlpnList)

const char *	FindAlpn (const BYTE *pFind, StrLen_t nLenFind) const

void	put_UseSessionTickets (bool bUseTickets)

void	put_SessionTicketLifetime (TIMESECD_t lifetime)

void	SetCAChain (cX509Crt pCaChain, cX509Crl pCaCrl)

HRESULT	SetKeyExDHMParams (const char dhm_P, const char dhm_G)

HRESULT	SetKeyExDHMParams (cKeyExDHM *dhm_ctx)

Public Member Functions inherited from GrayLib::cSSLSessionConfig
	cSSLSessionConfig () noexcept

Public Attributes
cRangeT< SSL_VERSION_TYPE >	m_VerRange
	What range of versions do we support? More...

bool	m_bExtendedMasterSecret
	flag for extended master secret. Extended Master Secret, aka Session Hash (draft-ietf-tls-session-hash-02). More...

IRandomNoise *	m_pRandom
	random number generator. g_Rand. More...

bool	m_bAllowRC4
	flag for enable/disabling SSL_Cipher_RC4_128. default = false. GET RID OF THIS using m_pCipherSuiteList More...

const SSL_CipherSuite_t *	m_pCipherSuiteList [SSL_VERSION_QTY]
	allowed ciphersuites for each version More...

cECPGroupPrefs	m_ECPGroupsAllowed
	Allow only these ECPGroup_TYPE curves. 0 terminated array of ECPGroup_TYPE. More...

const char **	m_ppAlpnList
	ordered list of supported protocols. nullptr terminated. More...

bool	m_bFallbackSCSV
	flag for allowing fallback connections SSL_FALLBACK_SCSV cipher suite ? (Client only) More...

SSL_RENO_LEGACY_TYPE	m_eRenoLegacyType
	Allow legacy renegotiation. More...

bool	m_bUseSessionTickets
	use session tickets? (default true for client) More...

TIMESECD_t	m_nTicketLifeSeconds
	session ticket lifetime More...

SSL_AUTHMODE_TYPE	m_eAuthMode
	Verification mode for cert failures. More...

IX509VerifyCert *	m_pVerifyCert
	Alternate mechanism to check certs. More...

cRefPtr< cX509Crt >	m_pCaChain
	own trusted CA chain More...

cRefPtr< cX509Crl >	m_pCaCrl
	trusted CA CRLs More...

cBigUnsigned	m_dhm_P
	prime modulus for DHM. cKeyExDHM More...

cBigInteger	m_dhm_G
	generator for DHM. cKeyExDHM More...

Public Attributes inherited from GrayLib::cSSLSessionConfig
SSL_MAX_FRAG_TYPE	m_eMaxFragLenCode
	MaxFragmentLength chosen by us. RFC 6066. More...

bool	m_bEncryptThenMac
	flag for encrypt-then-mac for use with CBC. Enable support for Encrypt-then-MAC, RFC 7366. More...

bool	m_bTruncatedHMAC
	negotiate truncated hmac? Enable support for RFC 6066 truncated HMAC in SSL. More...

Additional Inherited Members
Static Public Attributes inherited from GrayLib::cSSL
static const size_t	k_PSK_Size_Max = 32
	256 bits More...

static const size_t	k_MAC_Size_Max = 48
	16 to 48. SHA-384 used for HMAC. like k_HashSizeMax More...

static const size_t	k_Number_Size_Max = 1024
	Max reasonable size of a big number used for crypt purposes. 8k bits. like cBigInteger::k_SIZE_MAX. More...

static const size_t	k_Content_Size_Max = 16384
	Size of content. >= k_MaxFragLens[MAX]. More...

static const WORD	k_MaxFragLens [SSL_MAX_FRAG_LEN_QTY]

Detailed Description

config options that control how a SSL connection behaves.

Constructor & Destructor Documentation

◆ cSSLConfig()

GraySSL::cSSLConfig::cSSLConfig ( )

◆ ~cSSLConfig()

GraySSL::cSSLConfig::~cSSLConfig ( )

Member Function Documentation

◆ CheckOpts()

bool GraySSL::cSSLConfig::CheckOpts ( )

◆ FindAlpn()

const char * GraySSL::cSSLConfig::FindAlpn	(	const BYTE *	pFind,
		StrLen_t	nLenFind
	)		const

Find a match in my list.

◆ IsECPGroupAllowed()

bool GraySSL::cSSLConfig::IsECPGroupAllowed ( const cECPGroup & grp ) const

Check is a curve proposed by the peer is in our list.

Returns: 1 if we're willing to use it, 0 otherwise.

◆ put_AllowRC4()

void GraySSL::cSSLConfig::put_AllowRC4 ( bool bAllowRC4 )

Disable or enable support for RC4 TODO get rid of this make RC4 off by default ? or just m_pCipherSuiteList

◆ put_AlpnProtocols()

HRESULT GraySSL::cSSLConfig::put_AlpnProtocols ( const char ** ppAlpnList )

Set the supported Application Layer Protocols. "Empty strings MUST NOT be included and byte strings MUST NOT be truncated". Check lengths now rather than later.

ppAlpnList = 0-terminated list of supported protocols, in decreasing preference order.
Returns
0 on success, or GRAYSSL_ERR_BAD_INPUT_DATA.

◆ put_AuthMode()

void GraySSL::cSSLConfig::put_AuthMode ( SSL_AUTHMODE_TYPE eAuthMode )

inline

Set the certificate verification mode

◆ put_EncryptThenMac()

void GraySSL::cSSLConfig::put_EncryptThenMac ( bool etm )

Enable or disable Encrypt-then-MAC (Default: true)

Note: This should always be enabled, it is a security improvement, and should not cause any interoperability issue (used only if the peer supports it too).

◆ put_FallbackSCSV()

void GraySSL::cSSLConfig::put_FallbackSCSV ( bool fallback )

inline

Set the fallback flag (client-side only). (Default: true).

Note: Set to SSL_IS_FALLBACK when preparing a fallback connection, that is a connection with max_version set to a lower value than the value you're willing to use. Such fallback connections are not recommended but are sometimes necessary to inter-operate with buggy (version-intolerant) servers.; You should NOT set this to SSL_IS_FALLBACK for non-fallback connections! This would appear to work for a while, then cause failures when the server is upgraded to support a newer TLS version.

◆ put_MaxFragLenCode()

HRESULT GraySSL::cSSLConfig::put_MaxFragLenCode ( SSL_MAX_FRAG_TYPE eMaxFragLenCode )

Set the maximum fragment length to emit and/or negotiate (Default: k_Content_Size_Max, usually 2^14 bytes) (Server: set maximum fragment length to emit, usually negotiated by the client during handshake (Client: set maximum fragment length to emit and negotiate with the server during handshake)

eMaxFragLenCode Code for maximum fragment length (allowed values: SSL_MAX_FRAG_LEN_512, SSL_MAX_FRAG_LEN_1024, SSL_MAX_FRAG_LEN_2048, SSL_MAX_FRAG_LEN_4096)

Returns: 0 if successful

◆ put_RandomNoise()

void GraySSL::cSSLConfig::put_RandomNoise ( IRandomNoise * pRandom )

inline

set Random number generator

◆ put_RenoLegacyType()

void GraySSL::cSSLConfig::put_RenoLegacyType ( SSL_RENO_LEGACY_TYPE allow_legacy )

inline

Prevent or allow legacy renegotiation. (Default: SSL_RENO_LEGACY_NO_RENEGOTIATION)

SSL_RENO_LEGACY_NO_RENEGOTIATION allows connections to be established even if the peer does not support secure renegotiation, but does not allow renegotiation to take place if not secure. (Interoperable and secure option)

SSL_RENO_LEGACY_ALLOW_RENEGOTIATION allows renegotiations with non-upgraded peers. Allowing legacy renegotiation makes the connection vulnerable to specific man in the middle attacks. (See RFC 5746) (Most interoperable and least secure option)

SSL_RENO_LEGACY_BREAK_HANDSHAKE breaks off connections if peer does not support secure renegotiation. Results in interoperability issues with non-upgraded peers that do not support renegotiation altogether. (Most secure option, interoperability issues)

◆ put_SessionTicketLifetime()

void GraySSL::cSSLConfig::put_SessionTicketLifetime ( TIMESECD_t lifetime )

inline

Set session ticket lifetime (server only)

lifetime session ticket lifetime. cTimeUnits::k_nSecondsPerDay

◆ put_UseExtendedMasterSecret()

void GraySSL::cSSLConfig::put_UseExtendedMasterSecret ( bool ems )

Enable or disable Extended Master Secret negotiation. (Default: true)

Note: This should always be enabled, it is a security fix to the protocol, and should not cause any interoperability issue (used only if the peer supports it too).

◆ put_UseSessionTickets()

void GraySSL::cSSLConfig::put_UseSessionTickets ( bool bUseTickets )

inline

ONLY Used for testing. Server side only. Enable / Disable session tickets

Note: On server, put_RandomNoise() must be called before this function to allow generating the ticket encryption and authentication keys.

Returns: 0 if successful, or a specific error code (server only).

◆ put_UseTruncatedHMAC()

void GraySSL::cSSLConfig::put_UseTruncatedHMAC ( bool bTruncatedHMAC )

inline

Activate negotiation of truncated HMAC (Default: false on client, true on server.)

bTruncatedHMAC = Enable or disable

◆ put_VerifyCert()

void GraySSL::cSSLConfig::put_VerifyCert ( IX509VerifyCert * pVerifyCert )

inline

Set the verification callback (Optional). If set, the verify callback is called for each certificate in the chain.

◆ put_VersionMax()

void GraySSL::cSSLConfig::put_VersionMax ( SSL_VERSION_TYPE v )

Set the maximum supported version sent from the client side and/or accepted at the server side (Default: SSL_VER_MAJOR_MAX, SSL_VERSION_SUPPORT_MAX)

v version number (SSL_VER_SSL_3, SSL_VER_TLS_1_0 and SSL_VER_TLS_1_1, SSL_VER_TLS_1_2 supported)
Note
This ignores ciphersuites from 'higher' versions.

Input outside of the SSL_MAX_XXXXX_VERSION and SSL_MIN_XXXXX_VERSION range is ignored.

◆ put_VersionMin()

void GraySSL::cSSLConfig::put_VersionMin ( SSL_VERSION_TYPE v )

Set the minimum accepted SSL/TLS protocol version (Default: SSL_VER_MAJOR_MIN, k_SSL_VERSION_SUPPORT_MIN)

Note

Input outside of the SSL_MAX_XXXXX_VERSION and

SSL_VER_SSL_3 (SSL v3) should be avoided.

v version number (SSL_VER_SSL_3, SSL_VER_TLS_1_0 and SSL_VER_TLS_1_1, SSL_VER_TLS_1_2 supported)

◆ SetCAChain()

void GraySSL::cSSLConfig::SetCAChain	(	cX509Crt *	pCaChain,
		cX509Crl *	pCaCrl
	)

inline

Set the data required to verify peer certificate

pCaChain = trusted CA chain (meaning all fully trusted top-level CAs)
pCaCrl = trusted CA CRLs

◆ SetCipherSuiteList()

void GraySSL::cSSLConfig::SetCipherSuiteList	(	const SSL_CipherSuite_t *	ciphersuites,
		SSL_VERSION_TYPE	v
	)

Set the list of allowed ciphersuites and the preference order. First in the list has the highest preference. (Overrides all version specific lists)

pCipherSuiteList = 0-terminated list of allowed ciphersuites
Note
The server uses its own preferences over the preference of the client unless USE_SSL_SRV_RESPECT_CLIENT_PREFERENCE is defined!

◆ SetKeyExDHMParams() [1/2]

HRESULT GraySSL::cSSLConfig::SetKeyExDHMParams ( cKeyExDHM * dhm_ctx )

◆ SetKeyExDHMParams() [2/2]

HRESULT GraySSL::cSSLConfig::SetKeyExDHMParams	(	const char *	dhm_P,
		const char *	dhm_G
	)

◆ VerifyCrt()

HRESULT GraySSL::cSSLConfig::VerifyCrt	(	cX509Crt *	pCrt,
		const char *	pszPeerCN,
		OUT X509_Verify_t &	eVerifyResults
	)		const

Member Data Documentation

◆ m_bAllowRC4

bool GraySSL::cSSLConfig::m_bAllowRC4

flag for enable/disabling SSL_Cipher_RC4_128. default = false. GET RID OF THIS using m_pCipherSuiteList

◆ m_bExtendedMasterSecret

bool GraySSL::cSSLConfig::m_bExtendedMasterSecret

flag for extended master secret. Extended Master Secret, aka Session Hash (draft-ietf-tls-session-hash-02).

◆ m_bFallbackSCSV

bool GraySSL::cSSLConfig::m_bFallbackSCSV

flag for allowing fallback connections SSL_FALLBACK_SCSV cipher suite ? (Client only)

◆ m_bUseSessionTickets

bool GraySSL::cSSLConfig::m_bUseSessionTickets

use session tickets? (default true for client)

◆ m_dhm_G

cBigInteger GraySSL::cSSLConfig::m_dhm_G

generator for DHM. cKeyExDHM

◆ m_dhm_P

cBigUnsigned GraySSL::cSSLConfig::m_dhm_P

prime modulus for DHM. cKeyExDHM

◆ m_eAuthMode

SSL_AUTHMODE_TYPE GraySSL::cSSLConfig::m_eAuthMode

Verification mode for cert failures.

◆ m_ECPGroupsAllowed

cECPGroupPrefs GraySSL::cSSLConfig::m_ECPGroupsAllowed

Allow only these ECPGroup_TYPE curves. 0 terminated array of ECPGroup_TYPE.

◆ m_eRenoLegacyType

SSL_RENO_LEGACY_TYPE GraySSL::cSSLConfig::m_eRenoLegacyType

Allow legacy renegotiation.

◆ m_nTicketLifeSeconds

TIMESECD_t GraySSL::cSSLConfig::m_nTicketLifeSeconds

session ticket lifetime

◆ m_pCaChain

cRefPtr<cX509Crt> GraySSL::cSSLConfig::m_pCaChain

own trusted CA chain

◆ m_pCaCrl

cRefPtr<cX509Crl> GraySSL::cSSLConfig::m_pCaCrl

trusted CA CRLs

◆ m_pCipherSuiteList

const SSL_CipherSuite_t* GraySSL::cSSLConfig::m_pCipherSuiteList[SSL_VERSION_QTY]

allowed ciphersuites for each version

◆ m_ppAlpnList

const char** GraySSL::cSSLConfig::m_ppAlpnList

ordered list of supported protocols. nullptr terminated.

◆ m_pRandom

IRandomNoise* GraySSL::cSSLConfig::m_pRandom

random number generator. g_Rand.

◆ m_pVerifyCert

IX509VerifyCert* GraySSL::cSSLConfig::m_pVerifyCert

Alternate mechanism to check certs.

◆ m_VerRange

cRangeT<SSL_VERSION_TYPE> GraySSL::cSSLConfig::m_VerRange

What range of versions do we support?

The documentation for this class was generated from the following files:

c:/Dennis/Source/Gray/GraySSL/include/cSSLConfig.h
c:/Dennis/Source/Gray/GraySSL/src/cSSLConfig.cpp

Public Member Functions

Public Attributes

Additional Inherited Members

Detailed Description

Constructor & Destructor Documentation

◆ cSSLConfig()

◆ ~cSSLConfig()

Member Function Documentation

◆ CheckOpts()

◆ FindAlpn()

◆ IsECPGroupAllowed()

◆ put_AllowRC4()

◆ put_AlpnProtocols()

◆ put_AuthMode()

◆ put_EncryptThenMac()

◆ put_FallbackSCSV()

◆ put_MaxFragLenCode()

◆ put_RandomNoise()

◆ put_RenoLegacyType()

◆ put_SessionTicketLifetime()

◆ put_UseExtendedMasterSecret()

◆ put_UseSessionTickets()

◆ put_UseTruncatedHMAC()

◆ put_VerifyCert()

◆ put_VersionMax()

◆ put_VersionMin()

◆ SetCAChain()

◆ SetCipherSuiteList()

◆ SetKeyExDHMParams() [1/2]

◆ SetKeyExDHMParams() [2/2]

◆ VerifyCrt()

Member Data Documentation

◆ m_bAllowRC4

◆ m_bExtendedMasterSecret

◆ m_bFallbackSCSV

◆ m_bUseSessionTickets

◆ m_dhm_G

◆ m_dhm_P

◆ m_eAuthMode

◆ m_ECPGroupsAllowed

◆ m_eRenoLegacyType

◆ m_nTicketLifeSeconds

◆ m_pCaChain

◆ m_pCaCrl

◆ m_pCipherSuiteList

◆ m_ppAlpnList

◆ m_pRandom

◆ m_pVerifyCert

◆ m_VerRange