Age | Commit message (Collapse) | Author |
|
There are plenty of popular, readily-available external tools
that, frankly, provide better options for going through proxies--
both of the HTTP variety and others (corkscrew, httptunnel, socat...);
and dropping our internal implementation results in a significant
reduction in code complexity--including the complete elimination
of multithreading and all of the worries that go along with it.
|
|
Just use sleep() where only whole-second resolution is used
to delay between reconnect-attempts; and nanosleep where
sub-second resolution is used.
sleep() should actually be OK, because we don't intermix those calls
with alarm() or any other signals or itimer functions.
nanosleep() should be OK because POSIX.1-2001 requires
that it not have the crazy signal interactions
that its predecessors are known for.
|
|
This makes it possible to have different CA certificates for different realms,
or certificate auth for only some realms and password auth for others.
|
|
|
|
|
|
(rather than just "yes")
|
|
Refuse to use pre-TLS SSL, since now SSLv3 has been broken by POODLE attack.
|
|
Trust the clients to negotiate the latest/best protocol version they can.
This should generally improve security over time (as OpenSSL improves
and implements improved protocols) without having the APF codebase
or server/client deployments need to chase latest OpenSSL API additions,
causing portability problems, or breaking client deployments that
are hard to upgrade.
|
|
This makes x.509 certification more usable/maintainable,
because the intermediate CA keys don't all need to be
maintained on the server (the certification tools just need
to concatenate the CA chain onto the APF-client certificates
as part of the certification-process).
|
|
|
|
|