Botan

Github Page

Botan

Hooks for application level policies on TLS connections

License
Botan is released under the Simplified BSD License (see LICENSE.md)

class  TLSPolicy;

TLS  TLSPolicy Base Class Inherit and overload as desired to suit local policy concerns

const Vector!string  allowedCiphers();

Returns a list of ciphers we are willing to negotiate, in order of preference.

const Vector!string  allowedSignatureHashes();

Returns a list of hash algorithms we are willing to use for signatures, in order of preference.

const Vector!string  allowedMacs();

Returns a list of MAC algorithms we are willing to use.

const Vector!string  allowedKeyExchangeMethods();

Returns a list of key exchange algorithms we are willing to use, in order of preference. Allowed values: DH, empty string (representing RSA using server certificate key)

const Vector!string  allowedSignatureMethods();

Returns a list of signature algorithms we are willing to use, in order of preference. Allowed values RSA and DSA.

const Vector!string  allowedEccCurves();

Return list of ECC curves we are willing to use in order of preference

const Vector!ubyte  compression();

Returns a list of  compression algorithms we are willing to use, in order of preference. Allowed values any value of Compression_Method.

@note Compression is not currently supported

const string  chooseCurve(in Vector!string curve_names);

Choose an elliptic curve to use

const bool  negotiateHeartbeatSupport();

Attempt to negotiate the use of the heartbeat extension

const bool  allowInsecureRenegotiation();

Allow renegotiation even if the counterparty doesn't support the secure renegotiation extension.

Notes:
Changing this to true exposes you to injected plaintext attacks. Read RFC 5746 for background.

const bool  allowServerInitiatedRenegotiation();

Allow servers to initiate a new handshake

const DLGroup  dhGroup();

Return the group to use for ephemeral Diffie-Hellman key agreement

const size_t  minimumDhGroupSize();

Return the minimum DH group size we're willing to use

const bool  hideUnknownUsers();

If this function returns false, unknown SRP/PSK identifiers will be rejected with an unknown_psk_identifier alert as soon as the non-existence is identified. Otherwise, a false identifier value will be used and the protocol allowed to proceed, causing the handshake to eventually fail without revealing that the username does not exist on this system.

const Duration  sessionTicketLifetime();

Return the allowed lifetime of a session ticket. If 0, session tickets do not expire until the session ticket key rolls over. Expired session tickets cannot be used to resume a session.

const bool  acceptableProtocolVersion(TLSProtocolVersion _version);

Returns
true if and only if we are willing to accept this version Default accepts only TLS, so if you want to enable DTLS override in your application.

const bool  serverUsesOwnCiphersuitePreferences();

Returns
true if servers should choose the ciphersuite matching their highest preference, rather than the clients. Has no effect on client side.

const Vector!ushort  ciphersuiteList(TLSProtocolVersion _version, bool have_srp);

Return allowed ciphersuites, in order of preference

class  NSASuiteB128: botan.tls.policy.TLSPolicy;

NSA Suite B 128-bit security level (see @rfc 6460)

class  DatagramPolicy: botan.tls.policy.TLSPolicy;

TLSPolicy for DTLS. We require DTLS v1.2 and an AEAD mode