- 09 2月, 2016 1 次提交
-
-
由 Viktor Dukhovni 提交于
As documented both SSL_get0_dane_authority() and SSL_get0_dane_tlsa() are expected to return a negative match depth and nothing else when verification fails. However, this only happened when verification failed during chain construction. Errors in verification of the constructed chain did not have the intended effect on these functions. This commit updates the functions to check for verify_result == X509_V_OK, and no longer erases any accumulated match information when chain construction fails. Sophisticated developers can, with care, use SSL_set_verify_result(ssl, X509_V_OK) to "peek" at TLSA info even when verification fail. They must of course first check and save the real error, and restore the original error as quickly as possible. Hiding by default seems to be the safer interface. Introduced X509_V_ERR_DANE_NO_MATCH code to signal failure to find matching TLSA records. Previously reported via X509_V_ERR_CERT_UNTRUSTED. This also changes the "-brief" output from s_client to include verification results and TLSA match information. Mentioned session resumption in code example in SSL_CTX_dane_enable(3). Also mentioned that depths returned are relative to the verified chain which is now available via SSL_get0_verified_chain(3). Added a few more test-cases to danetest, that exercise the new code. Resolved thread safety issue in use of static buffer in X509_verify_cert_error_string(). Fixed long-stating issue in apps/s_cb.c which always sets verify_error to either X509_V_OK or "chain to long", code elsewhere (e.g. s_time.c), seems to expect the actual error. [ The new chain construction code is expected to correctly generate "chain too long" errors, so at some point we need to drop the work-arounds, once SSL_set_verify_depth() is also fixed to propagate the depth to X509_STORE_CTX reliably. ] Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 06 2月, 2016 2 次提交
-
-
由 A J Mohan Rao 提交于
Signed-off-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Viktor Dukhovni 提交于
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
- 15 1月, 2016 1 次提交
-
-
由 Rich Salz 提交于
It turns out that -pause calls the undocumented function SSL_set_debug. That just sets flag inside the SSL structure. That flag, despite the command is never used. So remove the flag, the field, and the function. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 08 1月, 2016 1 次提交
-
-
由 Viktor Dukhovni 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 21 11月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Document the libssl and command line application aspects of async. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 14 11月, 2015 1 次提交
-
-
由 Nathan Phillip Brink 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 25 9月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Add documentation to all the appropriate apps for the new -no-CApath and -no-CAfile options. Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
- 22 8月, 2015 1 次提交
-
-
由 Rich Salz 提交于
L<foo|foo> is sub-optimal If the xref is the same as the title, which is what we do, then you only need L<foo>. This fixes all 1457 occurrences in 349 files. Approximately. (And pod used to need both.) Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 31 7月, 2015 1 次提交
-
-
由 Kai Engert 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 23 5月, 2015 1 次提交
-
-
由 Michael Trapp 提交于
Signed-off-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 03 5月, 2015 1 次提交
-
-
由 Alok Menghrajani 提交于
Signed-off-by: NRich Salz <rsalz@akamai.com> Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 25 2月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
the X509_V_FLAG_NO_ALT_CHAINS flag. Reviewed-by: NDr. Stephen Henson <steve@openssl.org>
-
- 04 12月, 2014 1 次提交
-
-
由 Kurt Roeckx 提交于
The only support for SSLv2 left is receiving a SSLv2 compatible client hello. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 15 10月, 2014 1 次提交
-
-
由 Bodo Moeller 提交于
handling out of #ifndef OPENSSL_NO_DTLS1 section. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 15 7月, 2014 1 次提交
-
-
由 Hubert Kario 提交于
Add description of the option to advertise support of Next Protocol Negotiation extension (-nextprotoneg) to man pages of s_client and s_server. PR#3444
-
- 07 7月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
-
- 04 7月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Remove RFC5878 code. It is no longer needed for CT and has numerous bugs
-
- 03 7月, 2014 1 次提交
-
-
由 Rich Salz 提交于
298 424 656 882 939 1630 1807 2263 2294 2311 2424 2623 2637 2686 2697 2921 2922 2940 3055 3112 3156 3177 3277
-
- 20 6月, 2014 2 次提交
-
-
由 Hubert Kario 提交于
cms, ocsp, s_client, s_server and smime tools also use args_verify() for parsing options, that makes them most of the same options verify tool does. Add those options to man pages and reference their explanation in the verify man page.
-
由 Hubert Kario 提交于
Add -trusted_first description to help messages and man pages of tools that deal with certificate verification.
-
- 07 4月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
-
- 06 9月, 2013 3 次提交
-
-
由 Scott Deboy 提交于
Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions) Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API Tests exercising the new supplemental data registration and callback api can be found in ssltest.c. Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
-
* Many XMPP servers are configured with multiple domains (virtual hosts) * In order to establish successfully the TLS connection you have to specify which virtual host you are trying to connect. * Test this, for example with :: * Fail: openssl s_client -connect talk.google.com:5222 -starttls xmpp * Works: openssl s_client -connect talk.google.com:5222 -starttls xmpp -xmpphost gmail.com
-
-
- 18 6月, 2013 1 次提交
-
-
由 Trevor 提交于
serverinfo rejects non-empty extensions. Omit extension if no relevant serverinfo data. Improve error-handling in serverinfo callback. Cosmetic cleanups. s_client documentation. s_server documentation. SSL_CTX_serverinfo documentation. Cleaup -1 and NULL callback handling for custom extensions, add tests. Cleanup ssl_rsa.c serverinfo code. Whitespace cleanup. Improve comments in ssl.h for serverinfo. Whitespace. Cosmetic cleanup. Reject non-zero-len serverinfo extensions. Whitespace. Make it build.
-
- 20 11月, 2012 3 次提交
-
-
由 Dr. Stephen Henson 提交于
-
由 Dr. Stephen Henson 提交于
-
由 Dr. Stephen Henson 提交于
-
- 26 6月, 2009 1 次提交
-
-
由 Dr. Stephen Henson 提交于
-
- 15 4月, 2009 1 次提交
-
-
由 Dr. Stephen Henson 提交于
-
- 23 8月, 2007 1 次提交
-
-
由 Dr. Stephen Henson 提交于
-
- 17 2月, 2007 1 次提交
-
-
由 Richard Levitte 提交于
Submitted by Kees Cook <kees@outflux.net>
-
- 11 3月, 2006 1 次提交
-
-
由 Nils Larsch 提交于
PR: 1191 Submitted by: Mika Kousa and Pasi Eronen of Nokia Corporation Reviewed by: Nils Larsch
-
- 17 11月, 2004 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Add command line options -certform, -keyform and -pass to s_client and s_server. This supports the use of alternative passphrase sources, key formats and keys handled by an ENGINE. Update docs.
-
- 05 1月, 2004 1 次提交
-
-
由 Lutz Jänicke 提交于
Submitted by: "Martin Witzel" <MWITZEL@de.ibm.com> PR: #570
-
- 29 5月, 2003 1 次提交
-
-
由 Lutz Jänicke 提交于
Submitted by: dg@sunet.ru (Daniel Ginsburg) PR: #613
-
- 21 3月, 2003 1 次提交
-
-
由 Richard Levitte 提交于
PR: 542
-
- 10 11月, 2001 1 次提交
-
-
由 Bodo Möller 提交于
-
- 07 9月, 2001 1 次提交
-
-
由 Ulf Möller 提交于
-