- 25 4月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
This option shows the certificates as sent by the server. It is not the full verified chain. Fixes #4933 Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6067)
-
- 08 4月, 2018 1 次提交
-
-
由 Andy Polyakov 提交于
Even though removed calls were oiriginally added on Windows, problem they tried to mitigate is not Windows-specific. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5887)
-
- 22 3月, 2018 1 次提交
-
-
由 FdaSilvaYY 提交于
Add missing guards around STRP-related fields Remove two unneeded global variables: my 2'cents to #4679 Merge definition and instantiation of srpsrvparm global. Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NBen Kaduk <kaduk@mit.edu> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4908)
-
- 20 3月, 2018 1 次提交
-
-
由 Richard Levitte 提交于
We did the SSL_CONF_cmd() pass last of all things that could affect the SSL ctx. However, the results of this, for example: -max_protocol TLSv1.3 -tls1_2 ... would mean that the protocol min got set to TLSv1.2 and the protocol max to TLSv1.3, when they should clearly both be TLSv1.2. However, if we see the SSL_CONF_cmd() switches as generic and those internal to s_client and s_server as specialisations, we get something that makes a little more sense. Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5679)
-
- 09 3月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
We also default to SHA256 as per the spec if we do not have an explicit digest defined. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5554)
-
- 20 2月, 2018 1 次提交
-
-
由 John Hughes 提交于
Add -bind option to s_client application to allow specification of local address for connection. Reviewed-by: NAndy Polyakov <appro@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5272)
-
- 14 2月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
The s_client psk_use_session_cb callback has a comment stating that we should ignore a key that isn't suitable for TLSv1.3. However we were actually causing the connection to fail. Changing the return value fixes the issue. Also related to this is that the early_data extension was not marked as TLSv1.3 only which it should be. Fixes #5202 Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/5205)
-
- 02 2月, 2018 1 次提交
-
-
由 Todd Short 提交于
Add SSL_verify_client_post_handshake() for servers to initiate PHA Add SSL_force_post_handshake_auth() for clients that don't have certificates initially configured, but use a certificate callback. Update SSL_CTX_set_verify()/SSL_set_verify() mode: * Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after the initial handshake. * Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless of when the certificate authentication takes place; either initial handshake, re-negotiation, or post-handshake authentication. Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options Add support to s_client: * Enabled automatically when cert is configured * Can be forced enabled via -force_pha Add support to s_server: * Use 'c' to invoke PHA in s_server * Remove some dead code Update documentation Update unit tests: * Illegal use of PHA extension * TLSv1.3 certificate tests DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is implemented, it's PHA support state machine may need to be different. Add a TODO and a #error Update handshake context to deal with PHA. The handshake context for TLSv1.3 post-handshake auth is up through the ClientFinish message, plus the CertificateRequest message. Subsequent Certificate, CertificateVerify, and Finish messages are based on this handshake context (not the Certificate message per se, but it's included after the hash). KeyUpdate, NewSessionTicket, and prior Certificate Request messages are not included in post-handshake authentication. After the ClientFinished message is processed, save off the digest state for future post-handshake authentication. When post-handshake auth occurs, copy over the saved handshake context into the "main" handshake digest. This effectively discards the any KeyUpdate or NewSessionTicket messages and any prior post-handshake authentication. This, of course, assumes that the ID-22 did not mean to include any previous post-handshake authentication into the new handshake transcript. This is implied by section 4.4.1 that lists messages only up to the first ClientFinished. Reviewed-by: NBen Kaduk <kaduk@mit.edu> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4964)
-
- 01 2月, 2018 1 次提交
-
-
由 Richard Levitte 提交于
Everything in apps includes apps.h, because that one declares apps internal library routines. However, progs.h doesn't declare library routines, but rather the main commands and their options, and there's no reason why the library modules should include it. So, remove the inclusion of progs.h from apps.h and add that inclusion in all command source files. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5222)
-
- 19 1月, 2018 1 次提交
-
-
由 Richard Levitte 提交于
Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/5110)
-
- 15 1月, 2018 2 次提交
-
-
由 Richard Levitte 提交于
This was identified for Windows almost two years ago for VC and msys/mingw. It seems that Cygwin suffers from the same issue, and since Cygwin doesn't define OPENSSL_SYS_WINDOWS, we need to make a special case to have a 50ms pause before closing the TLS connection. Ref: git commit cb2e10f2Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5074)
-
由 Bernd Edlinger 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5072)
-
- 22 11月, 2017 1 次提交
-
-
由 Matt Caswell 提交于
As per this comment: https://github.com/openssl/openssl/issues/4496#issuecomment-337767145 Since the server is entitled to reject our session our ClientHello should include everything that we would want if a full handshake were to happen. Therefore we shouldn't use the session as a source of information for setting SNI. Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4738)
-
- 13 11月, 2017 1 次提交
-
-
由 Andy Polyakov 提交于
It's argued that /WX allows to keep better focus on new code, which motivates its comeback... Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4721)
-
- 10 11月, 2017 1 次提交
-
-
由 Matt Caswell 提交于
We were using OPENSSL_strdup() unnecessarily and then failing to free it. There is no reason to use OPENSSL_strdup() in this scenario - so just remove it. Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4699)
-
- 08 11月, 2017 1 次提交
-
-
由 FdaSilvaYY 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4457)
-
- 06 11月, 2017 1 次提交
-
-
由 FdaSilvaYY 提交于
Based on patch from Tomasz Moń: https://groups.google.com/forum/#!topic/mailing.openssl.dev/fQxXvCg1uQYReviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/1008)
-
- 23 10月, 2017 1 次提交
-
-
由 KaoruToda 提交于
apps/s_server.c: remove unnecessary null check Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NAndy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4558)
-
- 18 10月, 2017 1 次提交
-
-
由 KaoruToda 提交于
Since return is inconsistent, I removed unnecessary parentheses and unified them. Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4541)
-
- 17 10月, 2017 1 次提交
-
-
由 Paul Yang 提交于
And also make '-xmpphost' an alias of the '-name' option. Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4524)
-
- 31 8月, 2017 4 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/3926)
-
由 Matt Caswell 提交于
Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/3926)
-
由 Matt Caswell 提交于
If we have not decided on an SNI value yet, but we are attempting to reuse a session, and SNI is set in that, then we should use that value by default. Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/3926)
-
由 Matt Caswell 提交于
Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/3926)
-
- 30 8月, 2017 1 次提交
-
-
由 Pauli 提交于
cryptilib.h is the second. Reviewed-by: NAndy Polyakov <appro@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4188)
-
- 23 8月, 2017 1 次提交
-
-
由 Rich Salz 提交于
Remove GETPID_IS_MEANINGLESS and osslargused. Move socket-related things to new file internal/sockets.h; this is now only needed by four(!!!) files. Compiles should be a bit faster. Remove USE_SOCKETS ifdef's Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4209)
-
- 18 8月, 2017 1 次提交
-
-
由 Balaji Marisetti 提交于
CLA: trivial Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4067)
-
- 15 8月, 2017 2 次提交
-
-
由 Rich Salz 提交于
This reverts commit c4d2e483. Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4160)
-
由 Rich Salz 提交于
Reviewed-by: NPaul Dale <paul.dale@oracle.com> Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4160)
-
- 17 7月, 2017 1 次提交
-
-
由 Rich Salz 提交于
Standardized the -rand flag and added a new one: -rand file... Always reads the specified files -writerand file Always writes to the file on exit For apps that use a config file, the RANDFILE config parameter reads the file at startup (to seed the RNG) and write to it on exit if the -writerand flag isn't used. Ensured that every app that took -rand also took -writerand, and made sure all of that agreed with all the documentation. Fix error reporting in write_file and -rand Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/3862)
-
- 07 7月, 2017 2 次提交
-
-
由 Matt Caswell 提交于
If the hostname is provided as a positional arg then s_client crashes. The crash occurs as s_client exits (after either a successful or unsuccessful connection attempt). This issue was introduced by commit 729ef856. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3881)
-
由 Matt Caswell 提交于
We were not freeing the session created when loading a PSK session file. Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/3855)
-
- 29 6月, 2017 1 次提交
-
-
由 Steven Danneman 提交于
The packet parsing code for the server version string was incrementing the array index twice on every iteration. This meant that strings with an even number of characters would pass, but strings with an odd number (ex: 5.7.18-0ubuntu0.16.04.1) would cause the pos variable to get out of sync. This would cause a later failure with "MySQL packet is broken." CLA: trivial Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3799)
-
- 21 6月, 2017 7 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3670)
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3670)
-
由 Matt Caswell 提交于
Ensure that we properly distinguish between successful return (PSK provided), successful return (no PSK provided) and failure. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3670)
-
由 Matt Caswell 提交于
Broken through previous PSK related commits Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3670)
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3670)
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3670)
-
由 Rich Salz 提交于
This is done with the kind permission of Nokia. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3722)
-