X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Ftlsproxy.h;h=692278e7fa4e0b5184fe19c6d38d631af69ca2cc;hb=61041fcbfedb13bacd16cd11a9bd0fb5446b7abb;hp=33df814f622331f3b6ab464858fd749c19758f26;hpb=3123fc1e16a763eb4614ebca4fc6bc80142021a9;p=tlsproxy%2Ftlsproxy.git

diff --git a/src/tlsproxy.h b/src/tlsproxy.h
index 33df814..692278e 100644
--- a/src/tlsproxy.h
+++ b/src/tlsproxy.h
@@ -25,6 +25,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>
 
 #include <gnutls/gnutls.h>
 
@@ -34,7 +35,7 @@
 /* Length for path arrays. */
 #define TLSPROXY_MAX_PATH_LENGTH 1024
 
-/* Paths to necessary TLS files: the CA, the server key and DH parameters. */
+/* Paths to proxy files: the CA, the server key and DH parameters. */
 #define PROXY_CA_PATH  "proxy-ca.pem"
 #define PROXY_KEY_PATH "proxy-key.pem"
 #define PROXY_DH_PATH  "proxy-dh.pem"
@@ -55,7 +56,12 @@
     /* Don't use known insecure algorithms. */ \
     "SECURE" \
     /* Lower priority of SHA-1, user better hashes if possible. */ \
-    ":-SHA1:+SHA1"
+    ":-SHA1:+SHA1" \
+    /* Force safe renegotiations. Shouldn't cause any problems as this \
+     * option only affects the server side (with GnuTLS defaults) and the \
+     * local clients most-likely already support safe renegotiations (old \
+     * servers are therefore not an issue). */ \
+    ":%SAFE_RENEGOTIATION"
 
 
 /* Proxy hostname and port if specified on the command line. */