DeterministicESPAsyncWebServer v6.28.0
Zero-allocation, bounded-execution async HTTP server for ESP32
Loading...
Searching...
No Matches
tls_policy.h File Reference

TLS version negotiation + pinned cipher-suite policy (DETWS_ENABLE_TLS_POLICY). More...

#include "ServerConfig.h"
#include <stddef.h>
#include <stdint.h>

Go to the source code of this file.

Detailed Description

TLS version negotiation + pinned cipher-suite policy (DETWS_ENABLE_TLS_POLICY).

The transport TLS layer (network_drivers/tls, mbedTLS-backed) already runs the record and handshake and floors the version at TLS 1.2 - so both TLS 1.2 (RFC 5246) and TLS 1.3 (RFC 8446) are negotiated. What the roadmap's TLS items add on top is a policy: pin the negotiated version to an audited [min,max] range and make the chosen version observable, and pin the cipher suites to an audited allowlist selected by server preference (AEAD-only for a hardened profile).

This is that pure policy core: detws_tls_negotiate_version picks the version the way a server does (the highest it supports not above the client's), detws_tls_version_name names it for a status endpoint, detws_tls_select_cipher selects a suite by server preference from the offered set, and detws_tls_is_aead classifies a suite. Pure, host-testable; the app feeds the results to the mbedTLS config. No heap, no stdlib.

Definition in file tls_policy.h.