X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Ftlsproxy.h;h=af58ff24dfadc32ebc338fa9f1e6885b64317b70;hb=HEAD;hp=5c0940c932f66365af0e12cd657e8e9d22e03e6e;hpb=3eebfbd0b124c034d57e9ddba051e82fe99ba05f;p=tlsproxy%2Ftlsproxy.git

diff --git a/src/tlsproxy.h b/src/tlsproxy.h
index 5c0940c..af58ff2 100644
--- a/src/tlsproxy.h
+++ b/src/tlsproxy.h
@@ -1,7 +1,7 @@
 /*
  * Global variables/defines.
  *
- * Copyright (C) 2011-2013  Simon Ruderich
+ * Copyright (C) 2011-2014  Simon Ruderich
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -25,15 +25,17 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>
 
 #include <gnutls/gnutls.h>
 
 #include "log.h"
 
+
 /* Length for path arrays. */
 #define TLSPROXY_MAX_PATH_LENGTH 1024
 
-/* Paths to necessary TLS files: the CA, the server key and DH parameters. */
+/* Paths to proxy files: the CA, the server key and DH parameters. */
 #define PROXY_CA_PATH  "proxy-ca.pem"
 #define PROXY_KEY_PATH "proxy-key.pem"
 #define PROXY_DH_PATH  "proxy-dh.pem"
@@ -43,11 +45,25 @@
 /* The server certificate for the given hostname is stored in
  * "./certificate-hostname-proxy.pem" - we use this for the connection to the
  * client. */
-#define PROXY_SERVER_CERT_FORMAT "./certificate-%s-proxy.pem"
+#define PROXY_SERVER_CERT_FILE_FORMAT "./certificate-%s-proxy.pem"
 /* The remote server certificate for the given hostname is stored in
  * "./certificate-hostname-proxy.pem" - we make sure the server sends this
  * certificate. */
-#define STORED_SERVER_CERT_FORMAT "./certificate-%s-server.pem"
+#define STORED_SERVER_CERT_FILE_FORMAT "./certificate-%s-server.pem"
+
+/* GnuTLS priority string used for both server and client connections. */
+#define PROXY_TLS_PRIORITIES \
+    /* Don't use known insecure algorithms. */ \
+    "SECURE" \
+    /* Lower priority of SHA-1, user better hashes if possible. */ \
+    ":-SHA1:+SHA1" \
+    /* No RC4, it's broken. */ \
+    ":-ARCFOUR-40:-ARCFOUR-128" \
+    /* Force safe renegotiations. Shouldn't cause any problems as this \
+     * option only affects the server side (with GnuTLS defaults) and the \
+     * local clients most-likely already support safe renegotiations (old \
+     * servers are therefore not an issue). */ \
+    ":%SAFE_RENEGOTIATION"
 
 
 /* Proxy hostname and port if specified on the command line. */