Commit Graph

53 Commits

Author SHA1 Message Date
devsaurus 6f3f1126d6 fix example 2019-01-20 12:46:53 +01:00
Nathaniel Wesley Filardo 6e95d74fbd Update TLS protocol support (#2587)
* Update TLS protocol support

TLS1.0 is past PCI's EOL; BEAST is no more
Enable elliptic curve key exchanges
	Do not enable the smallest ECs for security
	Do not enable the largest ECs for computational time
	Do not enable 25519 (sad) because it doesn't go across the wire
Drop non-PFS key exchanges
Drop ARC4, Blowfish, DES, genprime, XTEA code
Drop renegotiation support completely
	It takes so much heap that it's not likely to work out well

Tidy handling of SSL_BUFFER_SIZE

Update docs
Drop mention of startcom, since they are no more, for letsencrypt

* Update mbedtls to 2.7.7

Preserve our vsnprintf and platform hacks

* Introduce TLS maximum fragment size knob

Reduce buffer size to 4Ki by default and advertize that.  That's the
largest we can advertize with the TLS MFL extension, so there's no
point in making them larger.  The truly adventurous can re-raise
SSL_BUFFER_SIZE and undefine the SSL_MAX_FRAGMENT_LENGTH_CODE and get
back to the earlier behavior.

* Default to mbedTLS debug with DEVELOP_VERSION
2019-01-15 17:02:32 +01:00
Marcel Stör b126c6b2d2 Re-organize documentation
Drop support for localized content, #2213

Restructure some content to match more closely what we have in master, #2542
2019-01-13 22:01:57 +01:00