diff options
Diffstat (limited to 'security/nss/lib/ssl/ssl.h')
-rw-r--r-- | security/nss/lib/ssl/ssl.h | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h index fc4a4a70c..dc5a9d4cd 100644 --- a/security/nss/lib/ssl/ssl.h +++ b/security/nss/lib/ssl/ssl.h @@ -190,7 +190,7 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd); /* Use draft-ietf-tls-session-hash. Controls whether we offer the * extended_master_secret extension which, when accepted, hashes * the handshake transcript into the master secret. This option is - * disabled by default. + * enabled by default. */ #define SSL_ENABLE_EXTENDED_MASTER_SECRET 30 @@ -299,6 +299,33 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd); * This is disabled by default and will be removed in a future version. */ #define SSL_ENABLE_V2_COMPATIBLE_HELLO 38 +/* Enables the post-handshake authentication in TLS 1.3. If it is set + * to PR_TRUE, the client will send the "post_handshake_auth" + * extension to indicate that it will process CertificateRequest + * messages after handshake. + * + * This option applies only to clients. For a server, the + * SSL_SendCertificateRequest can be used to request post-handshake + * authentication. + */ +#define SSL_ENABLE_POST_HANDSHAKE_AUTH 39 + +/* Enables the delegated credentials extension (draft-ietf-tls-subcerts). When + * enabled, a client that supports TLS 1.3 will indicate willingness to + * negotiate a delegated credential (DC). + * + * If support is indicated, the peer may use a DC to authenticate itself. The DC + * is sent as an extension to the peer's end-entity certificate; the end-entity + * certificate is used to verify the DC, which in turn is used to verify the + * handshake. DCs effectively extend the certificate chain by one, but only + * within the context of TLS. Once issued, DCs can't be revoked; in order to + * mitigate the damage in case the secret key is compromised, the DC is only + * valid for a short time (days, hours, or even minutes). + * + * This library implements draft-03 of the protocol spec. + */ +#define SSL_ENABLE_DELEGATED_CREDENTIALS 40 + #ifdef SSL_DEPRECATED_FUNCTION /* Old deprecated function names */ SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRIntn on); |