Add negotiation of Extended Master Secret (But not the actual thing yet.)

commit: 367381fdddb68e72c408fed763b955f620abf451 [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Mon Oct 20 18:40:56 2014 +0200
committer: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Nov 05 16:00:49 2014 +0100
tree: fc613d395494254365988f229390c0da225c7441
parent: 178f9d6e190d0f19ee9485e059e258650b5dac98 [diff] [blame]
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index ff0ccec..9ca39e7 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h

@@ -811,6 +811,20 @@
  */
 //#define POLARSSL_SSL_DEBUG_ALL
 
+/** \def POLARSSL_SSL_EXTENDED_MASTER_SECRET
+ *
+ * Enable support for Extended Master Secret, aka Session Hash
+ * (draft-ietf-tls-session-hash-02).
+ *
+ * This was introduced as "the proper fix" to the Triple Handshake familiy of
+ * attacks, but it is recommended to always use it (even if you disable
+ * renegotiation), since it actually fixes a more fundamental issue in the
+ * original SSL/TLS design, and has implications beyond Triple Handshake.
+ *
+ * Comment this macro to disable support for Extended Master Secret.
+ */
+#define POLARSSL_SSL_EXTENDED_MASTER_SECRET
+
 /**
  * \def POLARSSL_SSL_FALLBACK_SCSV
  *
commit	367381fdddb68e72c408fed763b955f620abf451	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Mon Oct 20 18:40:56 2014 +0200
committer	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Wed Nov 05 16:00:49 2014 +0100
tree	fc613d395494254365988f229390c0da225c7441
parent	178f9d6e190d0f19ee9485e059e258650b5dac98 [diff] [blame]