#
ecdh_curve = prime256v1
+ #
+ # client_hello_parse:: Extract attributes from TLS Client Hello
+ #
+ # For logging / diagnostics it can be beneficial to extract
+ # data from the TLS Client Hello.
+ #
+ # These are placed in `session-state` so that they are
+ # accessible throughout the authentication process.
+ #
+# client_hello_parse = no
+
#
# verify:: Parameters for controlling client cert chain
# verification.
bool verify_certificate; //!< Does the "verify certificate" section exist.
bool new_session; //!< Does the "new session" section exist.
bool establish_session; //!< Does the "establish session" section exist.
+ bool client_hello_parse; //!< Should attributes be extracted from Client Hello.
};
fr_tls_conf_t *fr_tls_conf_alloc(TALLOC_CTX *ctx);
{ FR_CONF_OFFSET("tls_min_version", fr_tls_conf_t, tls_min_version), .dflt = "1.2" },
+ { FR_CONF_OFFSET("client_hello_parse", fr_tls_conf_t, client_hello_parse )},
+
{ FR_CONF_OFFSET_SUBSECTION("session", 0, fr_tls_conf_t, cache, tls_cache_config) },
{ FR_CONF_OFFSET_SUBSECTION("verify", 0, fr_tls_conf_t, verify, tls_verify_config) },
SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf);
SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_TLS_SESSION, (void *)tls_session);
+ if (conf->client_hello_parse) {
+ SSL_CTX_set_client_hello_cb(ssl_ctx, fr_tls_session_client_hello_cb, NULL);
+ }
+
tls_session->mtu = conf->fragment_size;
if (dynamic_mtu > 100 && dynamic_mtu < tls_session->mtu) {
RDEBUG2("Setting fragment_len to %zu from dynamic_mtu", dynamic_mtu);
projects / thirdparty / freeradius-server.git / commitdiff
