Make renegotiation a compile-time option

2014-11-03 08:23:14 +01:00 · 2014-11-03 08:23:14 +01:00 · 615e677c0b
commit 615e677c0b
parent 85d915b81d
7 changed files with 196 additions and 73 deletions
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@ -821,6 +821,19 @@
 */
 //#define POLARSSL_SSL_HW_RECORD_ACCEL

+/**
+ * \def POLARSSL_SSL_RENEGOTIATION
+ *
+ * Enable support for TLS renegotiation.
+ *
+ * The two main uses of renegotiation are (1) refresh keys on long-lived
+ * connections and (2) client authentication after the initial handshake.
+ * If you don't need renegotiation, it's probably better to disable it, since
+ * it has been associated with security issues in the past and is easy to
+ * misuse/misunderstand.
+ */
+#define POLARSSL_SSL_RENEGOTIATION
+
 /**
 * \def POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
 *