/*
* TLS module
*
* Copyright (C) 2010 iptelorg GmbH
* Copyright (C) 2013 Motorola Solutions, Inc.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/**
* TLS runtime configuration.
* @file tls_cfg.h
* @ingroup: tls
* Module: @ref tls
*/
/*
* History:
* --------
* 2010-05-27 initial version (andrei)
*/
#ifndef __tls_cfg_h
#define __tls_cfg_h
#include "../../str.h"
#include "../../cfg/cfg.h"
/* maximum accepted lifetime (maximum possible is ~ MAXINT/2)
* (it should be kept in sync w/ MAX_TCP_CON_LIFETIME from tcp_main.c:
* MAX_TLS_CON_LIFETIME <= MAX_TCP_CON_LIFETIME )*/
#define MAX_TLS_CON_LIFETIME (1U<<(sizeof(ticks_t)*8-1))
struct cfg_group_tls {
int force_run;
str method;
int verify_cert;
int verify_depth;
int require_cert;
str private_key;
str ca_list;
str crl;
str certificate;
str cipher_list;
int session_cache;
str session_id;
str config_file;
int log;
int debug;
int con_lifetime;
int disable_compression;
/* release internal openssl read or write buffer when they are no longer
* used (complete read or write that does not have to buffer anything).
* Should be used together with tls_free_list_max_len. Might have some
* performance impact (and extra *malloc pressure), but has also the
* potential of saving a lot of memory (at least 32k/idle connection in the
* default config, or ~ 16k+tls_max_send_fragment)) */
int ssl_release_buffers;
/* maximum length of free/unused memory buffers/chunks per connection.
* Setting it to 0 would cause any unused buffers to be immediately freed
* and hence a lower memory footprint (at the cost of a possible
* performance decrease and more *malloc pressure).
* Too large value would result in extra memory consumption.
* The default is 32 in openssl.
* For lowest memory usage set it to 0 and tls_mode_release_buffers to 1
*/
int ssl_freelist_max;
/* maximum number of bytes (clear text) sent into one record.
* The default and maximum value are ~16k. Lower values would lead to a
* lower memory footprint.
* Values lower then the typical app. write size might decrease
* performance (extra write() syscalls), so it should be kept ~2k for ser.
*/
int ssl_max_send_fragment;
/* enable read ahead. Should increase performance (1 less syscall when
* enabled, else openssl makes 1 read() for each record header and another
* for the content), but might interact with SSL_pending() (not used right
* now)
*/
int ssl_read_ahead;
int low_mem_threshold1;
int low_mem_threshold2;
int ct_wq_max; /* maximum overall tls write clear text queued bytes */
int con_ct_wq_max; /* maximum clear text write queued bytes per con */
int ct_wq_blk_size; /* minimum block size for the clear text write queue */
int send_close_notify; /* if set try to be nice and send a shutdown alert
before closing the tcp connection */
};
extern struct cfg_group_tls default_tls_cfg;
extern volatile void* tls_cfg;
extern cfg_def_t tls_cfg_def[];
extern int fix_tls_cfg(struct cfg_group_tls* cfg);
#endif /*__tls_cfg_h*/
/* vi: set ts=4 sw=4 tw=79:ai:cindent: */