# HG changeset patch
# User Sebastien Decugis <sdecugis@freediameter.net>
# Date 1370837090 -28800
# Node ID 436e4342ecd0ab6dde9cb74e96f689f0ef497f2c
# Parent  56c36d1007b4eb1108b7a3702589c9cbb2aeeb1f
Rollback to using TLS/SCTP in release 1.2.0. DTLS dev to happen in freeDiameter-dtls branch

diff -r 56c36d1007b4 -r 436e4342ecd0 contrib/debian/changelog
--- a/contrib/debian/changelog	Fri Jun 07 18:48:34 2013 +0800
+++ b/contrib/debian/changelog	Mon Jun 10 12:04:50 2013 +0800
@@ -27,8 +27,9 @@
   * Allow running without TLS configuration.
   * Upgraded SCTP code to comply with RFC 6458
   * Using default secure Diameter port number 5658 as per RFC 6733
+  * Updated TLS code for performance improvements with new GNU TLS.
 
- -- Sebastien Decugis <sdecugis@freediameter.net>  Mon, 03 Jun 2013 14:20:05 +0800
+ -- Sebastien Decugis <sdecugis@freediameter.net>  Mon, 10 Jun 2013 12:03:59 +0800
 
 freediameter (1.1.6) UNRELEASED; urgency=low
 
diff -r 56c36d1007b4 -r 436e4342ecd0 doc/freediameter.conf.sample
--- a/doc/freediameter.conf.sample	Fri Jun 07 18:48:34 2013 +0800
+++ b/doc/freediameter.conf.sample	Mon Jun 10 12:04:50 2013 +0800
@@ -30,16 +30,10 @@
 
 # The port this peer is listening on for incoming TLS-protected connections (TCP and SCTP).
 # See TLS_old_method for more information about TLS flavours.
+# Note: we use TLS/SCTP instead of DTLS/SCTP at the moment. This will change in future version of freeDiameter.
 # Default: 5658. Use 0 to disable.
 #SecPort = 5658;
 
-# freeDiameter 1.2.0 introduces the support of DTLS over SCTP (RFC6083) instead of TLS over SCTP (RFC3436), 
-# as specified in RFC6733. If you need compatibility with older implementation that use TLS over SCTP, you 
-# can open an additional SCTP server port using TLS/SCTP by specifying the following parameter.
-# Note that no TCP server is started on the following port.
-# Default: 0 (disabled). Use 3869 for compatibility with freeDiameter < 1.2.0.
-#SctpSec3436 = 0;
-
 # Use RFC3588 method for TLS protection, where TLS is negociated after CER/CEA exchange is completed 
 # on the unsecure connection. The alternative is RFC6733 mechanism, where TLS protects also the 
 # CER/CEA exchange on a dedicated secure port.
@@ -217,8 +211,7 @@
 #ConnectPeer = "diameterid" [ { parameter1; parameter2; ...} ] ;
 # Parameters that can be specified in the peer's parameter list:
 #  No_TCP; No_SCTP; No_IP; No_IPv6; Prefer_TCP; TLS_old_method;
-#  No_TLS;       # assume transparent security instead of TLS
-#  SctpSec3436;	 # Use TLS/SCTP instead of DTLS/SCTP to protect SCTP associations with this peer.
+#  No_TLS;       # assume transparent security instead of TLS. DTLS is not supported yet (will change in future versions).
 #  Port = 5658;  # The port to connect to
 #  TcTimer = 30;
 #  TwTimer = 30;
diff -r 56c36d1007b4 -r 436e4342ecd0 libfdcore/fdd.l
--- a/libfdcore/fdd.l	Fri Jun 07 18:48:34 2013 +0800
+++ b/libfdcore/fdd.l	Mon Jun 10 12:04:50 2013 +0800
@@ -245,7 +245,7 @@
 (?i:"Realm")		{ return REALM;   	}
 (?i:"Port")		{ return PORT;    	}
 (?i:"SecPort")		{ return SECPORT;  	}
-(?i:"SctpSec3436")	{ return SEC3436;  	}
+	/* (?i:"SctpSec3436")	{ return SEC3436;  	} */
 (?i:"No_IPv6")		{ return NOIP6;		}
 (?i:"No_IP")		{ return NOIP;		}
 (?i:"No_TCP")		{ return NOTCP;		}
diff -r 56c36d1007b4 -r 436e4342ecd0 libfdcore/p_cnx.c
--- a/libfdcore/p_cnx.c	Fri Jun 07 18:48:34 2013 +0800
+++ b/libfdcore/p_cnx.c	Mon Jun 10 12:04:50 2013 +0800
@@ -282,7 +282,7 @@
 	/* Handshake if needed (secure port) */
 	if (nc->dotls) {
 		CHECK_FCT_DO( fd_cnx_handshake(cnx, GNUTLS_CLIENT, 
-						(peer->p_hdr.info.config.pic_flags.sctpsec == PI_SCTPSEC_3436) ? ALGO_HANDSHAKE_3436 : ALGO_HANDSHAKE_DEFAULT,
+						ALGO_HANDSHAKE_3436,
 						peer->p_hdr.info.config.pic_priority, NULL),
 			{
 				/* Handshake failed ...  */
diff -r 56c36d1007b4 -r 436e4342ecd0 libfdcore/server.c
--- a/libfdcore/server.c	Fri Jun 07 18:48:34 2013 +0800
+++ b/libfdcore/server.c	Mon Jun 10 12:04:50 2013 +0800
@@ -53,7 +53,7 @@
 
 	struct cnxctx *	conn;		/* server connection context (listening socket) */
 	int 		proto;		/* IPPROTO_TCP or IPPROTO_SCTP */
-	int 		secur;		/* TLS is started immediatly after connection ? 0: no; 1: yes (TLS/TCP or DTLS/SCTP); 2: yes (TLS/TCP or TLS/SCTP) */
+	int 		secur;		/* TLS is started immediatly after connection ? 0: no; 2: yes (TLS/TCP or TLS/SCTP) */
 	
 	pthread_t	thr;		/* The thread listening for new connections */
 	enum s_state	state;		/* state of the thread */
@@ -360,19 +360,19 @@
 		
 		/* Create the server on secure port */
 		if (fd_g_config->cnf_port_tls) {
-			CHECK_MALLOC( s = new_serv(IPPROTO_SCTP, 1) );
+			CHECK_MALLOC( s = new_serv(IPPROTO_SCTP, 2 /* Change when DTLS is introduced */) );
 			CHECK_MALLOC( s->conn = fd_cnx_serv_sctp(fd_g_config->cnf_port_tls, empty_conf_ep ? NULL : &fd_g_config->cnf_endpoints) );
 			fd_list_insert_before( &FD_SERVERS, &s->chain );
 			CHECK_POSIX( pthread_create( &s->thr, NULL, serv_th, s ) );
 		}
 		
 		/* Create the other server on 3436 secure port */
-		if (fd_g_config->cnf_port_3436) {
+		/*if (fd_g_config->cnf_port_3436) {
 			CHECK_MALLOC( s = new_serv(IPPROTO_SCTP, 2) );
 			CHECK_MALLOC( s->conn = fd_cnx_serv_sctp(fd_g_config->cnf_port_3436, empty_conf_ep ? NULL : &fd_g_config->cnf_endpoints) );
 			fd_list_insert_before( &FD_SERVERS, &s->chain );
 			CHECK_POSIX( pthread_create( &s->thr, NULL, serv_th, s ) );
-		}
+		}*/
 		
 #endif /* DISABLE_SCTP */
 	}