The session ticket and OCSP certificate status extensions are enabled by default.

In client side gnutls_init() enables the session ticket and OCSP certificate status request extensions by default. The flag GNUTLS_NO_EXTENSIONS can be used to prevent that.
author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2012-10-07 23:55:47 +0200
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2012-10-08 00:00:59 +0200
commit: 4da9342263784dada84671893a6b41cd52e38701 (patch)
tree: 939230100ec9f6329debf4dc8af602365276cf74
parent: f9c88ed32a9cc6fdc03ddd2075b3073bf2215311 (diff)
download: gnutls-4da9342263784dada84671893a6b41cd52e38701.tar.gz
10 files changed, 23 insertions, 12 deletions
diff --git a/NEWS b/NEWS
index f22d2ca569..9854b5525c 100644
--- a/NEWS
+++ b/NEWS
@@ -18,6 +18,10 @@ Reported by danblack at http://savannah.gnu.org/support/?108146
 ** libgnutls: Added gnutls_ocsp_resp_check_crt() to check whether the OCSP
 response corresponds to the given certificate.
 
+** libgnutls: In client side gnutls_init() enables the session ticket and
+OCSP certificate status request extensions by default. The flag
+GNUTLS_NO_EXTENSIONS can be used to prevent that.
+
 ** libdane: Added. It is a library to provide DANE with DNSSEC certificate
 verification.
 
diff --git a/doc/examples/ex-client-resume.c b/doc/examples/ex-client-resume.c
index a9417ce9d0..0fe2a8860e 100644
--- a/doc/examples/ex-client-resume.c
+++ b/doc/examples/ex-client-resume.c
@@ -47,9 +47,6 @@ main (void)
       sd = tcp_connect ();
 
       gnutls_init (&session, GNUTLS_CLIENT);
-      /* enable useful extensions */
-      gnutls_session_ticket_enable_client(session);
-      gnutls_ocsp_status_request_enable_client(session, NULL, 0, NULL);
 
       gnutls_priority_set_direct (session, "PERFORMANCE:!ARCFOUR-128", NULL);
 
diff --git a/doc/examples/ex-client-x509.c b/doc/examples/ex-client-x509.c
index ce55b20805..6939ba36a6 100644
--- a/doc/examples/ex-client-x509.c
+++ b/doc/examples/ex-client-x509.c
@@ -55,10 +55,6 @@ int main (void)
   
   gnutls_session_set_ptr (session, (void *) "my_host_name");
 
-  /* enable useful extensions */
-  gnutls_session_ticket_enable_client(session);
-  gnutls_ocsp_status_request_enable_client(session, NULL, 0, NULL);
-
   gnutls_server_name_set (session, GNUTLS_NAME_DNS, "my_host_name", 
                           strlen("my_host_name"));
 
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index 5793c5c029..a9a1ea036d 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -295,6 +295,11 @@ _gnutls_handshake_internal_state_clear (gnutls_session_t session)
  * also available. The latter flag will enable a non-blocking
  * operation of the DTLS timers. 
  *
+ * Note that since version 3.1.2 this function enables some common
+ * TLS extensions such as session tickets and OCSP certificate status
+ * request in client side by default. To prevent that use the %GNUTLS_NO_EXTENSIONS
+ * flag.
+ *
  * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
  **/
 int
@@ -402,6 +407,13 @@ gnutls_init (gnutls_session_t * session, unsigned int flags)
   else
     (*session)->internals.dtls.blocking = 1;
 
+  /* Enable useful extensions */
+  if ((flags & GNUTLS_CLIENT) && !(flags & GNUTLS_NO_EXTENSIONS))
+    {
+      gnutls_session_ticket_enable_client(*session);
+      gnutls_ocsp_status_request_enable_client(*session, NULL, 0, NULL);
+    }
+
   return 0;
 }
 
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 51e594e65c..ec553a03f3 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -295,12 +295,14 @@ extern "C"
    * @GNUTLS_CLIENT: Connection end is a client.
    * @GNUTLS_DATAGRAM: Connection is datagram oriented (DTLS).
    * @GNUTLS_NONBLOCK: Connection should not block (DTLS).
+   * @GNUTLS_NO_EXTENSIONS: Do not enable any TLS extensions by default.
    *
    */
 #define GNUTLS_SERVER 1
 #define GNUTLS_CLIENT (1<<1)
 #define GNUTLS_DATAGRAM (1<<2)
 #define GNUTLS_NONBLOCK (1<<3)
+#define GNUTLS_NO_EXTENSIONS (1<<4)
 
 /**
  * gnutls_alert_level_t:
diff --git a/src/cli-args.c b/src/cli-args.c
index 585591836f..819ac38d66 100644
--- a/src/cli-args.c
+++ b/src/cli-args.c
@@ -2,7 +2,7 @@
  *  
  *  DO NOT EDIT THIS FILE   (cli-args.c)
  *  
- *  It has been AutoGen-ed  October  7, 2012 at 12:14:56 AM by AutoGen 5.16
+ *  It has been AutoGen-ed  October  7, 2012 at 01:02:46 PM by AutoGen 5.16
  *  From the definitions    cli-args.def
  *  and the template file   options
  *
diff --git a/src/cli-args.h b/src/cli-args.h
index 55d213812f..f2ad811dfd 100644
--- a/src/cli-args.h
+++ b/src/cli-args.h
@@ -2,7 +2,7 @@
  *  
  *  DO NOT EDIT THIS FILE   (cli-args.h)
  *  
- *  It has been AutoGen-ed  October  7, 2012 at 12:14:56 AM by AutoGen 5.16
+ *  It has been AutoGen-ed  October  7, 2012 at 01:02:46 PM by AutoGen 5.16
  *  From the definitions    cli-args.def
  *  and the template file   options
  *
diff --git a/src/tls_test.c b/src/tls_test.c
index 67ff904d2f..f4f61b1a6f 100644
--- a/src/tls_test.c
+++ b/src/tls_test.c
@@ -275,7 +275,7 @@ main (int argc, char **argv)
               continue;
             }
         }
-      ERR (err, "connect") gnutls_init (&state, GNUTLS_CLIENT);
+      ERR (err, "connect") gnutls_init (&state, GNUTLS_CLIENT|GNUTLS_NO_EXTENSIONS);
       gnutls_transport_set_ptr (state, (gnutls_transport_ptr_t)
                                 gl_fd_to_handle (sd));
 
diff --git a/tests/resume-dtls.c b/tests/resume-dtls.c
index 03f606ce18..3e56645a7e 100644
--- a/tests/resume-dtls.c
+++ b/tests/resume-dtls.c
@@ -122,7 +122,7 @@ client (struct params_res *params)
 
       /* Initialize TLS session
        */
-      gnutls_init (&session, GNUTLS_CLIENT|GNUTLS_DATAGRAM);
+      gnutls_init (&session, GNUTLS_CLIENT|GNUTLS_DATAGRAM|GNUTLS_NO_EXTENSIONS);
 
       /* Use default priorities */
       gnutls_priority_set_direct (session, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);
diff --git a/tests/resume.c b/tests/resume.c
index 6b63332385..b6b47d7c47 100644
--- a/tests/resume.c
+++ b/tests/resume.c
@@ -113,7 +113,7 @@ client (struct params_res *params)
 
       /* Initialize TLS session
        */
-      gnutls_init (&session, GNUTLS_CLIENT);
+      gnutls_init (&session, GNUTLS_CLIENT|GNUTLS_NO_EXTENSIONS);
 
       /* Use default priorities */
       gnutls_priority_set_direct (session, "NONE:+VERS-TLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2012-10-07 23:55:47 +0200
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2012-10-08 00:00:59 +0200
commit	4da9342263784dada84671893a6b41cd52e38701 (patch)
tree	939230100ec9f6329debf4dc8af602365276cf74
parent	f9c88ed32a9cc6fdc03ddd2075b3073bf2215311 (diff)
download	gnutls-4da9342263784dada84671893a6b41cd52e38701.tar.gz