Add configuration option to remove peer CRT after handshake

This commit is contained in:
Hanno Becker 2019-02-05 17:04:00 +00:00
parent 869144b3e9
commit b90f655a78
2 changed files with 28 additions and 2 deletions

View file

@ -1404,6 +1404,28 @@
*/
#define MBEDTLS_SSL_FALLBACK_SCSV
/**
* \def MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
*
* This option controls the presence of the API mbedtls_ssl_get_peer_cert()
* giving access to the peer's certificate after completion of the handshake.
*
* Unless you need mbedtls_ssl_peer_cert() in your application, it is
* recommended to disable this option for reduced RAM usage.
*
* \note If this option is disabled, mbedtls_ssl_get_peer_cert() is still
* defined, but always returns \c NULL.
*
* \note This option has no influence on the protection against the
* triple handshake attack. Even if it is disabled, Mbed TLS will
* still ensure that certificates do not change during renegotiation,
* for exaple by keeping a hash of the peer's certificate.
*
* Comment this macro to disable storing the peer's certificate
* after the handshake.
*/
#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
/**
* \def MBEDTLS_SSL_HW_RECORD_ACCEL
*

View file

@ -3240,8 +3240,12 @@ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl );
* \param ssl The SSL context to use. This must be initialized and setup.
*
* \return The current peer certificate, or \c NULL if
* none is available. It is owned by the SSL context
* and valid only until the next call to the SSL API.
* none is available, which might be because the chosen
* ciphersuite does not use peer certificates, or because
* #MBEDTLS_SSL_KEEP_PEER_CERTIFICATE has been disabled.
* If this functions does not return \c NULL, the returned
* certificate is owned by the SSL context and valid only
* until the next call to the SSL API.
*
* \note For one-time inspection of the peer's certificate during
* the handshake, consider registering an X.509 CRT verification