- Add -a option, authentication for tlsproxy via basic digest authentication.
- Add new debug level (-d 3) for even more debug output, including information
about the current TLS session.
+- Allow rehandshakes for server connections (%SAFE_RENEGOTIATION is forced to
+ prevent issues).
- Use pre-generated Diffie-Hellman parameters in proxy-dh.pem.
- Code cleanup.
- Better error handling.
size_read = gnutls_record_recv(from, buffer, buffer_size);
if (size_read < 0) {
+ /* Allow rehandshakes. As handshakes might be insecure make sure that
+ * %SAFE_RENEGOTIATION is used in GnuTLS's priority string. */
+ if (size_read == GNUTLS_E_REHANDSHAKE) {
+ int result = gnutls_handshake(from);
+ if (result != GNUTLS_E_SUCCESS) {
+ LOG(WARNING, "server TLS rehandshake failed: %s",
+ gnutls_strerror(result));
+ return -1;
+ }
+ return 0;
+ }
+
LOG(WARNING, "read_from_write_to_tls(): gnutls_record_recv(): %s",
gnutls_strerror((int)size_read));
return -1;
/* Don't use known insecure algorithms. */ \
"SECURE" \
/* Lower priority of SHA-1, user better hashes if possible. */ \
- ":-SHA1:+SHA1"
+ ":-SHA1:+SHA1" \
+ /* Force safe renegotiations. Shouldn't cause any problems as this \
+ * option only affects the server side (with GnuTLS defaults) and the \
+ * local clients most-likely already support safe renegotiations (old \
+ * servers are therefore not an issue). */ \
+ ":%SAFE_RENEGOTIATION"
/* Proxy hostname and port if specified on the command line. */
ruderich.org/simon / tlsproxy / tlsproxy.git / commitdiff