|Age||Commit message (Collapse)||Author||Files||Lines|
Take out various fields into a new connection class. We will have the
option to connect to multiple servers.
Make the priority configurable, load DH params, allow to specify
certificates or anonymous operations.
Using tls priority of NORMAL:+ANON-ECDH:+ANON-DH already allows a
client to connect to a server and protect the data using tls.
Generate the dh params on load (and do that for the client right
now as well) but that will go away soon.
Use GNUtls because it is GPL compatible and instead of mbedTLS seems
to have a working non-blocking I/O integration. GNUtls has various
issues that could not be resolved easily:
* Pick spdy as sub protocol
* gmt_time not randomized
* private key loaded to RAM (but not verified)
This is the beginning and not the end. Client support might need more
work with actual tls verification. Maybe more manual x509 cert
verification is needed and maybe client certs don't work at all. I try
to ignore renegotiation as I threw away the key.
Reload x509 creds and keys as they might have changed from one
connection to another.