+/* Paths to proxy files: the CA, the server key and DH parameters. */
+#define PROXY_CA_PATH "proxy-ca.pem"
+#define PROXY_KEY_PATH "proxy-key.pem"
+#define PROXY_DH_PATH "proxy-dh.pem"
+/* Path to special "invalid" certificate send to the client when an error
+ * occurs. */
+#define PROXY_INVALID_CERT_PATH "proxy-invalid.pem"
+/* The server certificate for the given hostname is stored in
+ * "./certificate-hostname-proxy.pem" - we use this for the connection to the
+ * client. */
+#define PROXY_SERVER_CERT_FILE_FORMAT "./certificate-%s-proxy.pem"
+/* The remote server certificate for the given hostname is stored in
+ * "./certificate-hostname-proxy.pem" - we make sure the server sends this
+ * certificate. */
+#define STORED_SERVER_CERT_FILE_FORMAT "./certificate-%s-server.pem"
+
+/* GnuTLS priority string used for both server and client connections. */
+#define PROXY_TLS_PRIORITIES \
+ /* Don't use known insecure algorithms. */ \
+ "SECURE" \
+ /* Lower priority of SHA-1, user better hashes if possible. */ \
+ ":-SHA1:+SHA1" \
+ /* No RC4, it's broken. */ \
+ ":-ARCFOUR-40:-ARCFOUR-128" \
+ /* Force safe renegotiations. Shouldn't cause any problems as this \
+ * option only affects the server side (with GnuTLS defaults) and the \
+ * local clients most-likely already support safe renegotiations (old \
+ * servers are therefore not an issue). */ \
+ ":%SAFE_RENEGOTIATION"