X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Ftlsproxy.h;h=15c5a51b8fcdfbcd6f0d230ed653f478f2db7a3b;hb=730ce301477d9d5c9367756bad840eb4504e0257;hp=f93be4609f9573fe49b578c3227a99222eae46d9;hpb=a8a45901f08376d0f4b8a6fe72d2cc90e2fc991e;p=tlsproxy%2Ftlsproxy.git

diff --git a/src/tlsproxy.h b/src/tlsproxy.h
index f93be46..15c5a51 100644
--- a/src/tlsproxy.h
+++ b/src/tlsproxy.h
@@ -25,11 +25,13 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>
 
 #include <gnutls/gnutls.h>
 
 #include "log.h"
 
+
 /* Length for path arrays. */
 #define TLSPROXY_MAX_PATH_LENGTH 1024
 
@@ -49,6 +51,18 @@
  * certificate. */
 #define STORED_SERVER_CERT_FILE_FORMAT "./certificate-%s-server.pem"
 
+/* GnuTLS priority string used for both server and client connections. */
+#define PROXY_TLS_PRIORITIES \
+    /* Don't use known insecure algorithms. */ \
+    "SECURE" \
+    /* Lower priority of SHA-1, user better hashes if possible. */ \
+    ":-SHA1:+SHA1" \
+    /* Force safe renegotiations. Shouldn't cause any problems as this \
+     * option only affects the server side (with GnuTLS defaults) and the \
+     * local clients most-likely already support safe renegotiations (old \
+     * servers are therefore not an issue). */ \
+    ":%SAFE_RENEGOTIATION"
+
 
 /* Proxy hostname and port if specified on the command line. */
 char *global_proxy_host;