Add configuration option to remove peer CRT after handshake
This commit is contained in:
parent
4a82c1ccb4
commit
bb278f52ca
2 changed files with 28 additions and 2 deletions
|
@ -1354,6 +1354,28 @@
|
|||
*/
|
||||
#define MBEDTLS_SSL_FALLBACK_SCSV
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
|
||||
*
|
||||
* This option controls the presence of the API mbedtls_ssl_get_peer_cert()
|
||||
* giving access to the peer's certificate after completion of the handshake.
|
||||
*
|
||||
* Unless you need mbedtls_ssl_peer_cert() in your application, it is
|
||||
* recommended to disable this option for reduced RAM usage.
|
||||
*
|
||||
* \note If this option is disabled, mbedtls_ssl_get_peer_cert() is still
|
||||
* defined, but always returns \c NULL.
|
||||
*
|
||||
* \note This option has no influence on the protection against the
|
||||
* triple handshake attack. Even if it is disabled, Mbed TLS will
|
||||
* still ensure that certificates do not change during renegotiation,
|
||||
* for exaple by keeping a hash of the peer's certificate.
|
||||
*
|
||||
* Comment this macro to disable storing the peer's certificate
|
||||
* after the handshake.
|
||||
*/
|
||||
#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_HW_RECORD_ACCEL
|
||||
*
|
||||
|
|
|
@ -2982,8 +2982,12 @@ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl );
|
|||
* \param ssl The SSL context to use. This must be initialized and setup.
|
||||
*
|
||||
* \return The current peer certificate, or \c NULL if
|
||||
* none is available. It is owned by the SSL context
|
||||
* and valid only until the next call to the SSL API.
|
||||
* none is available, which might be because the chosen
|
||||
* ciphersuite does not use peer certificates, or because
|
||||
* #MBEDTLS_SSL_KEEP_PEER_CERTIFICATE has been disabled.
|
||||
* If this functions does not return \c NULL, the returned
|
||||
* certificate is owned by the SSL context and valid only
|
||||
* until the next call to the SSL API.
|
||||
*
|
||||
* \note For one-time inspection of the peer's certificate during
|
||||
* the handshake, consider registering an X.509 CRT verification
|
||||
|
|
Loading…
Reference in a new issue