Make redbean SSL more tunable

This change enables SSL compression. It significantly reduces the network load of the testing infrastructure, for free, since this revision didn't need to change any runit protocol code. However we turn it off by default in redbean since no browsers support it. It turns out that some TLSv1.0 clients (e.g. curl command on RHEL5) will send an SSLv2-style ClientHello. These types of clients are usually ten+ years old and were designed to interop with servers ten years older than them. Your redbean is now able to interop with these clients even though redbean doesn't actually support SSLv2 or SSLv3. Please note that the -B flag may be passed to disable this along with TLSv1.0, TLSv1.1, 3DES, &c The following Lua APIs have been added to redbean: - ProgramSslCompression(bool) - ProgramSslCiphersuite(name:str) - ProgramSslPresharedKey(key:str,identity:str) Lastly the DHE ciphersuites have been enabled. IANA recommends DHE and with old clients like RHEL5 it's the only perfect forward secrecy they implement.
2025-08-05 09:20:29 +00:00 · 2021-08-09 07:00:23 -07:00 · 2021-08-09 07:00:23 -07:00 · 53b9f83e1c
commit 53b9f83e1c
parent d86027fe90
15 changed files with 567 additions and 227 deletions
--- a/third_party/mbedtls/ssl.h
+++ b/third_party/mbedtls/ssl.h
@ -1075,6 +1075,7 @@ struct mbedtls_ssl_config
    unsigned int dtls_srtp_mki_support : 1; /* support having mki_value
                                               in the use_srtp extension     */
 #endif
+    bool disable_compression;
 };

 struct mbedtls_ssl_context
@ -1113,7 +1114,8 @@ struct mbedtls_ssl_context
    mbedtls_ssl_session *session;               /*!<  negotiated session data     */
    mbedtls_ssl_session *session_negotiate;     /*!<  session data in negotiation */
    mbedtls_ssl_handshake_params *handshake;    /*!<  params required only during
-                                              the handshake process        */
+                                                      the handshake process        */
+    const mbedtls_ecp_curve_info *curve;
    /*
     * Record layer transformations
     */
@ -1442,7 +1444,7 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *, const unsigned c
 int mbedtls_ssl_set_hostname( mbedtls_ssl_context *, const char * );
 int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *, const unsigned char *, size_t );
 int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *, mbedtls_x509_crt *, mbedtls_pk_context * );
-int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *, const unsigned char *, size_t );
+int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *, const void *, size_t );
 int mbedtls_ssl_set_session( mbedtls_ssl_context *, const mbedtls_ssl_session * );
 int mbedtls_ssl_setup( mbedtls_ssl_context *, const mbedtls_ssl_config * );
 int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types , const unsigned char *, size_t, const char *, const unsigned char *, size_t, unsigned char *, size_t );