The following example illustrates how to define each of the supported
System SSL TLS extensions for a TLS client. The HMAC and maximum fragment
extensions are defined at the environment level. The server name indication
extension is defined, while the HMAC extension is modified for a particular
connection. The environment level extensions are being defined as
required and connection level extensions as optional. Required extensions
require that the partner TLS server support the specified TLS extensions.
If it does not support the extensions, the TLS handshake fails.
int rc;
gsk_handle envHandle;
gsk_handle conHandle;
gsk_tls_extension tls_extn_env[2];
gsk_tls_extension tls_extn_con[2];
char server1[] = "server1.ibm.com";
char server2[] = "server2.ibm.com";
char * serverNames[] = {server1, server2};
/*
* Open the SSL environment
*/
rc = gsk_environment_open(&envHandle);
/*
* Set truncated HMAC extension
*/
memset(&tls_extn_env[0], 0, sizeof(gsk_tls_extension));
tls_extn_env[0].extId = GSK_TLS_EXTID_TRUNCATED_HMAC;
tls_extn_env[0].required = TRUE; /* required extension */
tls_extn_env[0].u.truncateHmac = TRUE; /* enable extension */
rc = gsk_attribute_set_tls_extension(envHandle,&tls_extn_env[0]);
/*
* Set maximum fragment length extension
*/
memset(&tls_extn_env[1], 0, sizeof(gsk_tls_extension));
tls_extn_env[1].extId = GSK_TLS_EXTID_CLIENT_MFL;
tls_extn_env[1].required = TRUE; /* required extension */
tls_extn_env[1].u.maxFragmentLength = GSK_TLS_MFL_4096;
/* set 4096 bit fragment length */
rc = gsk_attribute_set_tls_extension(envHandle,&tls_extn_env[1]);
/*
* Initialize the SSL environment
*/
rc = gsk_environment_init(envHandle);
/*
* Open the SSL connection
*/
rc = gsk_secure_socket_open(envHandle, &conHandle);
/*
* Set server name indication extension
*/
memset(&tls_extn_con[0], 0, sizeof(gsk_tls_extension));
tls_extn_con[0].extId = GSK_TLS_EXTID_SNI_CLIENT_SNAMES;
tls_extn_con[0].required = FALSE; /* optional extension */
tls_extn_con[0].u.clientSnameList.setSni = TRUE;
/* enable extension */
tls_extn_con[0].u.clientSnameList.unrecognized_name_fatal = TRUE;
/* unrecognized name is fatal */
tls_extn_con[0].u.clientSnameList.count = 2;
tls_extn_con[0].u.clientSnameList.serverNames = serverNames;
rc = gsk_attribute_set_tls_extension(envHandle,&tls_extn_con[0]);
/*
* Modify truncated HMAC extension
*/
memset(&tls_extn_con[0], 0, sizeof(gsk_tls_extension));
tls_extn_con[0].extId = GSK_TLS_EXTID_TRUNCATED_HMAC;
tls_extn_con[1].required = FALSE; /* optional extension */
tls_extn_con[0].u.truncateHmac = TRUE; /* enable extension */
rc = gsk_attribute_set_tls_extension(envHandle,&tls_extn_con[1]);
/*
* Initialize the SSL connection
*/
rc = gsk_secure_socket_init(conHandle)