|
DeterministicESPAsyncWebServer v6.28.0
Zero-allocation, bounded-execution async HTTP server for ESP32
|
TLS version negotiation + pinned cipher-suite policy (DETWS_ENABLE_TLS_POLICY). More...
Go to the source code of this file.
TLS version negotiation + pinned cipher-suite policy (DETWS_ENABLE_TLS_POLICY).
The transport TLS layer (network_drivers/tls, mbedTLS-backed) already runs the record and handshake and floors the version at TLS 1.2 - so both TLS 1.2 (RFC 5246) and TLS 1.3 (RFC 8446) are negotiated. What the roadmap's TLS items add on top is a policy: pin the negotiated version to an audited [min,max] range and make the chosen version observable, and pin the cipher suites to an audited allowlist selected by server preference (AEAD-only for a hardened profile).
This is that pure policy core: detws_tls_negotiate_version picks the version the way a server does (the highest it supports not above the client's), detws_tls_version_name names it for a status endpoint, detws_tls_select_cipher selects a suite by server preference from the offered set, and detws_tls_is_aead classifies a suite. Pure, host-testable; the app feeds the results to the mbedTLS config. No heap, no stdlib.
Definition in file tls_policy.h.