openbsd/src/lib/libssl/man, branch OPENBSD_7_0A mirror of https://github.com/libressl/openbsd.git
https://git.lua4.win/openbsd/atom?h=OPENBSD_7_02021-09-14T14:30:57+00:00provide a small manual page for the SSL_set_psk_use_session_callback(3)2021-09-14T14:30:57+00:00schwarze2021-09-14T14:30:57+00:00urn:sha1:893064c29739c4260c6617f7fdd94a8a802ae9cb
stub, written from scratch;
OK tb@ on SSL_set_psk_use_session_callback.3
Merge the stub SSL_SESSION_is_resumable(3) manual page from the2021-09-14T14:08:15+00:00schwarze2021-09-14T14:08:15+00:00urn:sha1:1b8306e7e3cdef25c29c63bc651d4ae5597212f8
OpenSSL 1.1.1 branch, which is still under a free license.
A few tweaks to wording and structure by me.
OK tb@ on SSL_SESSION_is_resumable.3
merge the description of SSL_get_tlsext_status_type(3)2021-09-11T18:58:41+00:00schwarze2021-09-11T18:58:41+00:00urn:sha1:13dbc996ebccef083673eb0d489a35eda7075e9a
from the OpenSSL 1.1.1 branch, which is still under a free license
Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback2021-09-10T09:25:29+00:00tb2021-09-10T09:25:29+00:00urn:sha1:c9e7d5c2a853445ab5e839eb581700a7def5be3b
As reported by Jeremy Harris, we inherited a strange behavior from
OpenSSL, in that we ignore the SSL_TLSEXT_ERR_FATAL return from the
ALPN callback. RFC 7301, 3.2 states: 'In the event that the server
supports no protocols that the client advertises, then the server
SHALL respond with a fatal "no_application_protocol" alert.'
Honor this requirement and succeed only on SSL_TLSEXT_ERR_{OK,NOACK}
which is the current behavior of OpenSSL. The documentation change
is taken from OpenSSL 1.1.1 as well.
As pointed out by jsing, there is more to be fixed here:
- ensure that the same protocol is selected on session resumption
- should the callback be called even if no ALPN extension was sent?
- ensure for TLSv1.2 and earlier that the SNI has already been processed
ok beck jsing
comment out the detailed description of SSL_get_servername(3),2021-09-01T13:56:03+00:00schwarze2021-09-01T13:56:03+00:00urn:sha1:a482f7b07f62088c9ed13e435de7e96f5d68ed37
leaving only the basic description in the RETURN VALUES section;
tb@ pointed out LibreSSL does not currently provide all those guarantees,
and he also OK'ed this diff
sync with OpenSSL 1.1.1, which is still under a free license;2021-08-30T18:18:16+00:00schwarze2021-08-30T18:18:16+00:00urn:sha1:447f1c2b595ba3da3932bbb5ec4313a80587c746
in particular, this includes new text by Matt Caswell
from OpenSSL commit 721eb8f6 Nov 28 12:03:00 2019 +0000
and corrects a wrong argument type that i introduced into the SYNOPSIS;
requested by tb@
Fix .Xr order. From mandoc -Tlint.2021-06-26T17:36:28+00:00tb2021-06-26T17:36:28+00:00urn:sha1:0618fe8c624c4e1cba458d1c396fcab3241b5f7aspace between macro args and punctuation;2021-06-12T17:04:41+00:00jmc2021-06-12T17:04:41+00:00urn:sha1:0d0d6635c4d19108e726878f9f88a0793fd3f32fRFC 4507bis can refer to various RFCs but this instance is about2021-06-12T11:02:20+00:00tb2021-06-12T11:02:20+00:00urn:sha1:7895cae9ea7277b3786272c80f490f95334d741f
RFC 5077. Note that session resumption via session tickets is
only for TLSv1.2 and earlier.
prompted by a question by/ok jmc
space between RFC and number;2021-06-11T19:45:21+00:00jmc2021-06-11T19:45:21+00:00urn:sha1:1ab79cf05f96f2cf024f9e418d9abd85a90316f9