Struct bearssl::br_ssl_server_choices
[−]
[src]
#[repr(C)]pub struct br_ssl_server_choices { pub cipher_suite: u16, pub algo_id: c_uint, pub chain: *const br_x509_certificate, pub chain_len: usize, }
\brief Type for the server policy choices, taken after analysis of the client message (ClientHello).
Fields
cipher_suite: u16
\brief Cipher suite to use with that client.
algo_id: c_uint
\brief Hash function or algorithm for signing the ServerKeyExchange.
This parameter is ignored for TLS_RSA_*
and TLS_ECDH_*
cipher suites; it is used only for TLS_ECDHE_*
suites, in
which the server signs the ephemeral EC Diffie-Hellman
parameters sent to the client.
This identifier must be one of the following values:
0xFF00 + id
, whereid
is a hash function identifier (0 for MD5+SHA-1, or 2 to 6 for one of the SHA functions);a full 16-bit identifier, lower than
0xFF00
.
If the first option is used, then the SSL engine will
compute the hash of the data that is to be signed, with the
designated hash function. The do_sign()
method will be
invoked with that hash value provided in the the data
buffer.
If the second option is used, then the SSL engine will NOT
compute a hash on the data; instead, it will provide the
to-be-signed data itself in data
, i.e. the concatenation of
the client random, server random, and encoded ECDH
parameters. Furthermore, with TLS-1.2 and later, the 16-bit
identifier will be used "as is" in the protocol, in the
SignatureAndHashAlgorithm; for instance, 0x0401
stands for
RSA PKCS#1 v1.5 signature (the 01
) with SHA-256 as hash
function (the 04
).
Take care that with TLS 1.0 and 1.1, the hash function is
constrainted by the protocol: RSA signature must use
MD5+SHA-1 (so use 0xFF00
), while ECDSA must use SHA-1
(0xFF02
). Since TLS 1.0 and 1.1 don't include a
SignatureAndHashAlgorithm field in their ServerKeyExchange
messages, any value below 0xFF00
will be usable to send the
raw ServerKeyExchange data to the do_sign()
callback, but
that callback must still follow the protocol requirements
when generating the signature.
chain: *const br_x509_certificate
\brief Certificate chain to send to the client.
This is an array of br_x509_certificate
objects, each
normally containing a DER-encoded certificate. The server
code does not try to decode these elements.
chain_len: usize
\brief Certificate chain length (number of certificates).
Trait Implementations
impl Debug for br_ssl_server_choices
[src]
impl Copy for br_ssl_server_choices
[src]
impl Clone for br_ssl_server_choices
[src]
fn clone(&self) -> br_ssl_server_choices
[src]
Returns a copy of the value. Read more
fn clone_from(&mut self, source: &Self)
1.0.0[src]
Performs copy-assignment from source
. Read more