1. 19 5月, 2016 4 次提交
  2. 17 5月, 2016 1 次提交
  3. 16 5月, 2016 2 次提交
  4. 14 5月, 2016 1 次提交
  5. 09 5月, 2016 1 次提交
  6. 06 5月, 2016 1 次提交
    • M
      Handle no async jobs in libssl · fc7f190c
      Matt Caswell 提交于
      If the application has limited the size of the async pool using
      ASYNC_init_thread() then we could run out of jobs while trying to start a
      libssl io operation. However libssl was failing to handle this and treating
      it like a fatal error. It should not be fatal...we just need to retry when
      there are jobs available again.
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      fc7f190c
  7. 05 5月, 2016 1 次提交
  8. 03 5月, 2016 1 次提交
    • T
      Issue #719: · 5f18bc58
      TJ Saunders 提交于
      If no serverinfo extension is found in some cases, do not abort the handshake,
      but simply omit/skip that extension.
      
      Check for already-registered serverinfo callbacks during serverinfo
      registration.
      
      Update SSL_CTX_use_serverinfo() documentation to mention the need to reload the
      same serverinfo per certificate, for servers with multiple server certificates.
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      Reviewed-by: NRich Salz <rsalz@openssl.org>
      5f18bc58
  9. 02 5月, 2016 1 次提交
  10. 22 4月, 2016 1 次提交
    • V
      Enabled DANE only when at least one TLSA RR was added · 9f6b22b8
      Viktor Dukhovni 提交于
      It is up to the caller of SSL_dane_tlsa_add() to take appropriate
      action when no records are added successfully or adding some records
      triggers an internal error (negative return value).
      
      With this change the caller can continue with PKIX if desired when
      none of the TLSA records are usable, or take some appropriate action
      if DANE is required.
      
      Also fixed the internal ssl_dane_dup() function to properly initialize
      the TLSA RR stack in the target SSL handle.  Errors in ssl_dane_dup()
      are no longer ignored.
      Reviewed-by: NRich Salz <rsalz@openssl.org>
      9f6b22b8
  11. 14 4月, 2016 1 次提交
  12. 13 4月, 2016 2 次提交
  13. 11 4月, 2016 1 次提交
  14. 08 4月, 2016 2 次提交
    • V
      Suppress CT callback as appropriate · 43341433
      Viktor Dukhovni 提交于
      Suppress CT callbacks with aNULL or PSK ciphersuites that involve
      no certificates.  Ditto when the certificate chain is validated via
      DANE-TA(2) or DANE-EE(3) TLSA records.  Also skip SCT processing
      when the chain is fails verification.
      
      Move and consolidate CT callbacks from libcrypto to libssl.  We
      also simplify the interface to SSL_{,CTX_}_enable_ct() which can
      specify either a permissive mode that just collects information or
      a strict mode that requires at least one valid SCT or else asks to
      abort the connection.
      
      Simplified SCT processing and options in s_client(1) which now has
      just a simple pair of "-noct" vs. "-ct" options, the latter enables
      the permissive callback so that we can complete the handshake and
      report all relevant information.  When printing SCTs, print the
      validation status if set and not valid.
      Signed-off-by: NRob Percival <robpercival@google.com>
      Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      43341433
    • V
      Fix client verify mode to check SSL_VERIFY_PEER · c636c1c4
      Viktor Dukhovni 提交于
      The original check for != SSL_VERIFY_NONE can give surprising results
      when flags SSL_VERIFY_PEER is not set, but other flags are.  Note
      that SSL_VERIFY_NONE (0) is not a flag bit, it is rather the absense
      of all other flag bits.
      Signed-off-by: NRob Percival <robpercival@google.com>
      Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      c636c1c4
  15. 28 3月, 2016 1 次提交
  16. 23 3月, 2016 1 次提交
  17. 21 3月, 2016 1 次提交
  18. 19 3月, 2016 1 次提交
  19. 13 3月, 2016 1 次提交
  20. 10 3月, 2016 5 次提交
  21. 08 3月, 2016 5 次提交
  22. 04 3月, 2016 1 次提交
  23. 03 3月, 2016 1 次提交
  24. 29 2月, 2016 1 次提交
    • M
      Refactor the async wait fd logic · ff75a257
      Matt Caswell 提交于
      Implementation experience has shown that the original plan for async wait
      fds was too simplistic. Originally the async logic created a pipe internally
      and user/engine code could then get access to it via API calls. It is more
      flexible if the engine is able to create its own fd and provide it to the
      async code.
      
      Another issue is that there can be a lot of churn in the fd value within
      the context of (say) a single SSL connection leading to continually adding
      and removing fds from (say) epoll. It is better if we can provide some
      stability of the fd value across a whole SSL connection. This is
      problematic because an engine has no concept of an SSL connection.
      
      This commit refactors things to introduce an ASYNC_WAIT_CTX which acts as a
      proxy for an SSL connection down at the engine layer.
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      ff75a257
  25. 28 2月, 2016 1 次提交
    • J
      RT4354: Add some cross-refs · e0b5108c
      Jeffrey Walton 提交于
      Stack Overflow has a number of questions related to mutual authentication,
      the client and its certificate. Those visiting the man pages for functions
      like SSL_CTX_use_certificate and SSL_CTX_load_verify_locations don't
      receive the benefit of a cross reference to SSL_CTX_set_client_CA_list.
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      e0b5108c
  26. 27 2月, 2016 1 次提交