sec_protocol_options_set_tls_ocsp_enabled(sec_options, false);
sec_protocol_options_set_tls_sct_enabled(sec_options, false);
sec_protocol_options_set_peer_authentication_required(sec_options, true);
sec_protocol_options_set_tls_renegotiation_enabled(sec_options, true);
sec_protocol_options_set_tls_tickets_enabled(sec_options, true);
sec_protocol_options_set_tls_resumption_enabled(sec_options, true);
sec_protocol_options_add_pre_shared_key(sec_options, psk, client_id);
This is all we have to work with when using the network framework but there's no way to specify i.e. encrypt-then-mac extensions if we are using CBC ciphersuites, there's very little control considering how messy TLS security can get- surely even the option of setting the raw hex of the TLS extensions appended to what is included above is desirable.