- 19 5月, 2016 4 次提交
-
-
由 Rich Salz 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Rich Salz 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Rich Salz 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Viktor Dukhovni 提交于
Since with SSL_VERIFY_NONE, the connection may continue and the session may even be cached, we should save some evidence that the chain was not sufficiently verified and would have been rejected with SSL_VERIFY_PEER. To that end when a CT callback returs failure we set the verify result to X509_V_ERR_NO_VALID_SCTS. Note: We only run the CT callback in the first place if the verify result is still X509_V_OK prior to start of the callback. RT #4502 Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 17 5月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
SSL_get_async_wait_fd() was replaced by SSL_get_all_async_fds() and SSL_get_changed_async_fds(). Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 16 5月, 2016 2 次提交
-
-
由 Matt Caswell 提交于
The previous commit added SSL_CTX_set_tlsext_status_type(). This one adds some documentation for it. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 FdaSilvaYY 提交于
Add a status return value instead of void. Add some sanity checks on reference counter value. Update the docs. Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 14 5月, 2016 1 次提交
-
-
由 FdaSilvaYY 提交于
Reviewed-by: NKurt Roeckx <kurt@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1042)
-
- 09 5月, 2016 1 次提交
-
-
由 FdaSilvaYY 提交于
No code change Reviewed-by: NKurt Roeckx <kurt@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 06 5月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
If the application has limited the size of the async pool using ASYNC_init_thread() then we could run out of jobs while trying to start a libssl io operation. However libssl was failing to handle this and treating it like a fatal error. It should not be fatal...we just need to retry when there are jobs available again. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 05 5月, 2016 1 次提交
-
-
由 Richard Levitte 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 03 5月, 2016 1 次提交
-
-
由 TJ Saunders 提交于
If no serverinfo extension is found in some cases, do not abort the handshake, but simply omit/skip that extension. Check for already-registered serverinfo callbacks during serverinfo registration. Update SSL_CTX_use_serverinfo() documentation to mention the need to reload the same serverinfo per certificate, for servers with multiple server certificates. Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 02 5月, 2016 1 次提交
-
-
由 FdaSilvaYY 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 22 4月, 2016 1 次提交
-
-
由 Viktor Dukhovni 提交于
It is up to the caller of SSL_dane_tlsa_add() to take appropriate action when no records are added successfully or adding some records triggers an internal error (negative return value). With this change the caller can continue with PKIX if desired when none of the TLSA records are usable, or take some appropriate action if DANE is required. Also fixed the internal ssl_dane_dup() function to properly initialize the TLSA RR stack in the target SSL handle. Errors in ssl_dane_dup() are no longer ignored. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 14 4月, 2016 1 次提交
-
-
由 Rich Salz 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 13 4月, 2016 2 次提交
-
-
由 Matt Caswell 提交于
Documentation fix ups as a result of feedback received. Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
SSL_COMP_free_compression_methods() should not be called expicitly - we should leave auto-deinit to clean this up instead. Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 11 4月, 2016 1 次提交
-
-
由 Kazuki Yamaguchi 提交于
Add an accessor for SSL_CTX. Since libssl was made opaque, there is no way for users to access the cipher_list, while users can set the cipher_list by SSL_CTX_set_cipher_list(). Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 08 4月, 2016 2 次提交
-
-
由 Viktor Dukhovni 提交于
Suppress CT callbacks with aNULL or PSK ciphersuites that involve no certificates. Ditto when the certificate chain is validated via DANE-TA(2) or DANE-EE(3) TLSA records. Also skip SCT processing when the chain is fails verification. Move and consolidate CT callbacks from libcrypto to libssl. We also simplify the interface to SSL_{,CTX_}_enable_ct() which can specify either a permissive mode that just collects information or a strict mode that requires at least one valid SCT or else asks to abort the connection. Simplified SCT processing and options in s_client(1) which now has just a simple pair of "-noct" vs. "-ct" options, the latter enables the permissive callback so that we can complete the handshake and report all relevant information. When printing SCTs, print the validation status if set and not valid. Signed-off-by: NRob Percival <robpercival@google.com> Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
由 Viktor Dukhovni 提交于
The original check for != SSL_VERIFY_NONE can give surprising results when flags SSL_VERIFY_PEER is not set, but other flags are. Note that SSL_VERIFY_NONE (0) is not a flag bit, it is rather the absense of all other flag bits. Signed-off-by: NRob Percival <robpercival@google.com> Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
- 28 3月, 2016 1 次提交
-
-
由 Kurt Roeckx 提交于
Reviewed-by: NViktor Dukhovni <viktor@openssl.org> MR: #2452
-
- 23 3月, 2016 1 次提交
-
-
由 Alex Gaynor 提交于
Reviewed-by: NKurt Roeckx <kurt@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 21 3月, 2016 1 次提交
-
-
由 Todd Short 提交于
* Clear proposed, along with selected, before looking at ClientHello * Add test case for above * Clear NPN seen after selecting ALPN on server * Minor documentation updates Reviewed-by: NEmilia Käsper <emilia@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 19 3月, 2016 1 次提交
-
-
由 Richard Levitte 提交于
Closes RT#4450 Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 13 3月, 2016 1 次提交
-
-
由 Rich Salz 提交于
With help from Viktor. Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
- 10 3月, 2016 5 次提交
-
-
由 Kurt Roeckx 提交于
Reviewed-by: NViktor Dukhovni <viktor@openssl.org> MR: #1824
-
由 Kurt Roeckx 提交于
Reviewed-by: NViktor Dukhovni <viktor@openssl.org> MR: #1824
-
由 Kurt Roeckx 提交于
Reviewed-by: NViktor Dukhovni <viktor@openssl.org> MR: #1595
-
由 Kurt Roeckx 提交于
Reviewed-by: NViktor Dukhovni <viktor@openssl.org> MR: #1595
-
由 Rob Percival 提交于
Reviewed-by: NEmilia Käsper <emilia@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 08 3月, 2016 5 次提交
-
-
由 Todd Short 提交于
Add functions to determine authentication, key-exchange, FIPS and AEAD. Reviewed-by: NEmilia Käsper <emilia@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Todd Short 提交于
* Perform ALPN after the SNI callback; the SSL_CTX may change due to that processing * Add flags to indicate that we actually sent ALPN, to properly error out if unexpectedly received. * clean up ssl3_free() no need to explicitly clear when doing memset * document ALPN functions Signed-off-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org>
-
由 Matt Caswell 提交于
A previous commit added the SSL_has_pending() function which provides a method for knowing whether OpenSSL has buffered, but as yet unprocessed record data. Reviewed-by: NTim Hudson <tjh@openssl.org>
-
由 Matt Caswell 提交于
Add some documentation for all of the SSL/SSL_CTX functions/ctrls for conrolling read and write pipelining. Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 04 3月, 2016 1 次提交
-
-
由 Rob Percival 提交于
Reviewed-by: NBen Laurie <ben@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 03 3月, 2016 1 次提交
-
-
由 Christian Heimes 提交于
This patch provides getters for default_passwd_cb and userdata for SSL and SSL_CTX. The getter functions are required to port Python's ssl module to OpenSSL 1.1.0. Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 29 2月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
Implementation experience has shown that the original plan for async wait fds was too simplistic. Originally the async logic created a pipe internally and user/engine code could then get access to it via API calls. It is more flexible if the engine is able to create its own fd and provide it to the async code. Another issue is that there can be a lot of churn in the fd value within the context of (say) a single SSL connection leading to continually adding and removing fds from (say) epoll. It is better if we can provide some stability of the fd value across a whole SSL connection. This is problematic because an engine has no concept of an SSL connection. This commit refactors things to introduce an ASYNC_WAIT_CTX which acts as a proxy for an SSL connection down at the engine layer. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 28 2月, 2016 1 次提交
-
-
由 Jeffrey Walton 提交于
Stack Overflow has a number of questions related to mutual authentication, the client and its certificate. Those visiting the man pages for functions like SSL_CTX_use_certificate and SSL_CTX_load_verify_locations don't receive the benefit of a cross reference to SSL_CTX_set_client_CA_list. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 27 2月, 2016 1 次提交
-
-
由 FdaSilvaYY 提交于
Signed-off-by: NRich Salz <rsalz@akamai.com> Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-