Make DTLS_HELLO_VERIFY a compile option

commit: 82202f0a9ce7ecf0a37c224e6cb307d8e9d15b61 [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Jul 23 00:28:58 2014 +0200
committer: Paul Bakker <p.j.bakker@polarssl.org> Tue Oct 21 16:30:16 2014 +0200
tree: 086826e8396626b1e09d917496ee0a7b99812a66
parent: 98545f128a030051713bf58e3745ccdd58737f8b [diff] [blame]
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 731b90c..4988f39 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h

@@ -924,6 +924,23 @@
 #define POLARSSL_SSL_ALPN
 
 /**
+ * \def POLARSSL_SSL_DTLS_HELLO_VERIFY
+ *
+ * Enable support for HelloVerifyRequest on DTLS servers.
+ *
+ * This feature is highly recommended to prevent DTLS servers being used as
+ * amplifiers in DoS attacks against other hosts. It should always be enabled
+ * unless you know for sure amplification cannot be a problem in the
+ * environment in which your server operates.
+ *
+ * Requires: POLARSSL_SSL_SRV_C
+ *           POLARSSL_POLARSSL_PROTO_DTLS
+ *
+ * Comment this to disable support for HelloVerifyRequest.
+ */
+#define POLARSSL_SSL_DTLS_HELLO_VERIFY
+
+/**
  * \def POLARSSL_SSL_SESSION_TICKETS
  *
  * Enable support for RFC 5077 session tickets in SSL.
commit	82202f0a9ce7ecf0a37c224e6cb307d8e9d15b61	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Wed Jul 23 00:28:58 2014 +0200
committer	Paul Bakker <p.j.bakker@polarssl.org>	Tue Oct 21 16:30:16 2014 +0200
tree	086826e8396626b1e09d917496ee0a7b99812a66
parent	98545f128a030051713bf58e3745ccdd58737f8b [diff] [blame]