Add negotiation of Extended Master Secret

(But not the actual thing yet.)
2025-12-24 00:06:32 +01:00 · 2014-10-20 18:40:56 +02:00 · 2014-10-20 18:40:56 +02:00 · 367381fddd
commit 367381fddd
parent 178f9d6e19
8 changed files with 264 additions and 0 deletions
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@ -811,6 +811,20 @@
 */
 //#define POLARSSL_SSL_DEBUG_ALL

+/** \def POLARSSL_SSL_EXTENDED_MASTER_SECRET
+ *
+ * Enable support for Extended Master Secret, aka Session Hash
+ * (draft-ietf-tls-session-hash-02).
+ *
+ * This was introduced as "the proper fix" to the Triple Handshake familiy of
+ * attacks, but it is recommended to always use it (even if you disable
+ * renegotiation), since it actually fixes a more fundamental issue in the
+ * original SSL/TLS design, and has implications beyond Triple Handshake.
+ *
+ * Comment this macro to disable support for Extended Master Secret.
+ */
+#define POLARSSL_SSL_EXTENDED_MASTER_SECRET
+
 /**
 * \def POLARSSL_SSL_FALLBACK_SCSV
 *