This adds support for the ephemeral elliptic curve Diffie-Hellman key
exchange, which provides for forward secrecy in the event that
long-term keys are compromised.
For the moment, we've hard-coded the curve as prime256v1.
Previously there was no way to override the hard-coded cipher suite
specification of "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH".
This commit does leave in place the hardcoded cipher spec for WebRTC
of "HIGH:!DSS:!aNULL@STRENGTH".
Previously if the TPTAG_TLS_VERSION was set to a non-zero value we
supported only TLSv1 (but not TLSv1.1 or TLSv1.2), and if was set to
zero we supported all versions of TLS and SSL (including the
ridiculous SSLv2).
Now we take an integer field where various bits can be set indicating
which versions of TLS we would like to support.
Sofia accepts a value for the TCP keepalive timeout interval via
TPTAG_KEEPALIVE, however it fails to use this value for the Linux
keepalive socket options TCP_KEEPIDLE and TCP_KEEPINTVL. In fact, on
Linux it enables the sending of TCP keepalives even if tpp_keepalive
is set to zero which would disable Sofia's internal keepalive
mechanisms. Sofia then uses a hard coded value of 30 seconds for
these keepalive intervals which affects battery life on mobile
devices.
With this commit we harmonize the sending of TCP keepalives on Linux
with other platforms by using the value from TPTAG_KEEPALIVE and not
enabling the sending of TCP keepalives at all if the value of the
parameter is zero.
FS-6104 --resolve
In a sofia profile, you can now set the parameter tls-timeout to a
positive integer value which represents the maximum time in seconds
that OpenSSL will keep a TLS session (and its ephemeral keys) alive.
This value is passed to OpenSSL's SSL_CTX_set_timeout(3).
OpenSSL's default value is 300 seconds, but the relevant standard
(RFC 2246) suggests that much longer session lifetimes are
acceptable (it recommends values less than 24 hours).
Longer values can be useful for extending battery life on mobile
devices.
Signed-off-by: Travis Cross <tc@traviscross.com>
* tport_type_udp.c: added field names to tport_vtable_t initialization
Wed Jun 3 12:25:52 CDT 2009 Pekka Pessi <first.last@nokia.com>
* tport_type_tcp.c: added field names to tport_vtable_t initialization
Wed Jun 3 12:29:13 CDT 2009 Pekka Pessi <first.last@nokia.com>
* tport_threadpool.c: added field names to tport_vtable_t initialization
Wed Jun 3 12:29:41 CDT 2009 Pekka Pessi <first.last@nokia.com>
* tport_type_connect.c: added field names to tport_vtable_t initialization
Wed Jun 3 12:30:01 CDT 2009 Pekka Pessi <first.last@nokia.com>
* tport_type_stun.c: added field names to tport_vtable_t initialization
Wed Jun 3 12:30:17 CDT 2009 Pekka Pessi <first.last@nokia.com>
* tport_type_sctp.c: added field names to tport_vtable_t initialization
git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@13956 d0543943-73ff-0310-b7d9-9358b9ac24b2
* su_uniqueid.c: Solaris misdefines PTHREAD_ONCE_INIT
Ignore-this: 9fe2247164d572901ed4a30b009353db
Solaris defines pthread_once_t as a struct containing an array. The
initializer PTHREAD_ONCE_INIT needs two levels of brackets it but only has
one. Original patch from Mike Jerris <mike@jerris.com>.
git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@13388 d0543943-73ff-0310-b7d9-9358b9ac24b2
* tport.c: do not use out-of-scope array in tport_deliver()
Ignore-this: a651d5eb213850d9dfd317102a432f8e
Coverity issue.
git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@13331 d0543943-73ff-0310-b7d9-9358b9ac24b2
* tport.c: add TPTAG_LOG() and TPTAG_DUMP() to tport_get_params()
Fixed return value from tport_set_params(), too.
git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@12374 d0543943-73ff-0310-b7d9-9358b9ac24b2
Travis Cross
Michael Jerris
Brian West
Anthony Minessale
Jeff Lenk
Marc Olivier Chouinard
Mathieu Rene
Raymond Chandler