From 7c2d4fee2547650102cd16d23f8125b76112ae75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bodo=20M=C3=B6ller?= Date: Thu, 26 Aug 2010 15:15:47 +0000 Subject: For better forward-security support, add functions SSL_[CTX_]set_not_resumable_session_callback. Submitted by: Emilia Kasper (Google) [A part of this change affecting ssl/s3_lib.c was accidentally commited separately, together with a compilation fix for that file; see s3_lib.c CVS revision 1.133 (http://cvs.openssl.org/chngview?cn=19855).] --- CHANGES | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'CHANGES') diff --git a/CHANGES b/CHANGES index 8c6cfbe9d8..114f339e29 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,24 @@ Changes between 1.0.0 and 1.1.0 [xx XXX xxxx] + *) Improve forward-security support: add functions + + void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure)) + void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure)) + + for use by SSL/TLS servers; the callback function will be called whenever a + new session is created, and gets to decide whether the session may be + cached to make it resumable (return 0) or not (return 1). (As by the + SSL/TLS protocol specifications, the session_id sent by the server will be + empty to indicate that the session is not resumable; also, the server will + not generate RFC 4507 (RFC 5077) session tickets.) + + A simple reasonable callback implementation is to return is_forward_secure. + This parameter will be set to 1 or 0 depending on the ciphersuite selected + by the SSL/TLS server library, indicating whether it can provide forward + security. + [Emilia Käsper (Google)] + *) Add Next Protocol Negotiation, http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be disabled with a no-npn flag to config or Configure. Code donated -- cgit v1.2.3