openbsd/src/lib/libtls/tls_init.3, branch OPENBSD_7_3

openbsd/src/lib/libtls/tls_init.3, branch OPENBSD_7_3_BASE A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_3_BASE 2017-01-25T23:53:18+00:00 split the tls_init(3) that had grown fat to allow healthy future growth; 2017-01-25T23:53:18+00:00 schwarze 2017-01-25T23:53:18+00:00 urn:sha1:d66bfa15e92b2523fa18aec340ecb1cf3eb361ec suggested by jsing@; "i would just chuck it in" jmc@ accross -> across; 2017-01-24T07:57:39+00:00 jmc 2017-01-24T07:57:39+00:00 urn:sha1:f2cbb741dc4f87f76eb6ade7e4fd21a3e8ee9841 Introduce ticket support. To enable them it is enough to set a positive 2017-01-24T01:48:05+00:00 claudio 2017-01-24T01:48:05+00:00 urn:sha1:566758f6a68a600bd25dd5d87d23efa3f29285f8 lifetime with tls_config_set_session_lifetime(). This enables tickets and uses an internal automatic rekeying mode for the ticket keys. If multiple processes are involved the following functions can be used to make tickets work accross all instances: - tls_config_set_session_id() sets the session identifier - tls_config_add_ticket_key() adds an encryption and authentication key For now only the last 4 keys added will be used (unless they are too old). If tls_config_add_ticket_key() is used the caller must ensure to add new keys regularly. It is best to do this 4 times per session lifetime (which is also the ticket key lifetime). Since tickets break PFS it is best to minimize the session lifetime according to needs. With a lot of help, input and OK beck@, jsing@ Add missing documentation for tls_config_set_verify_depth 2017-01-24T01:16:26+00:00 claudio 2017-01-24T01:16:26+00:00 urn:sha1:3356b71abfe437aab69b360e5e379a93373485f4 Done together with jsing@ Shuffle the deck chairs to bring them back in order. 2017-01-24T00:28:31+00:00 claudio 2017-01-24T00:28:31+00:00 urn:sha1:c7a85f132ca32ccfa0ad3292a3e3fbda25017d85 tls_config_add_keypair_mem is the function to add additional keypairs and 2017-01-24T00:00:12+00:00 claudio 2017-01-24T00:00:12+00:00 urn:sha1:7cdce79e265392d749743c810758d79840443013 ocsp_staple functions set the OCSP response they don't add them (which implies you can call them multiple times). Discussed with jsing@ beck@ Change the return value of tls_config_set_protocols() and 2016-11-11T14:02:24+00:00 jsing 2016-11-11T14:02:24+00:00 urn:sha1:649a0a6662a20285ecc9abb6ad4df3f56f4b0726 tls_config_set_verify_depth() from void to int. This makes them consistent with all other tls_config_set_* functions and will allow for call time validation to be implemented. Rides libtls major bump. ok beck@ fix misplaced quote by tls_peer_ocsp_this_update 2016-11-05T18:30:02+00:00 bcook 2016-11-05T18:30:02+00:00 urn:sha1:57b263cd7913400d9ea6948a28ebc3eec9556e0d tweak previous; 2016-11-05T15:45:41+00:00 jmc 2016-11-05T15:45:41+00:00 urn:sha1:ff6e911ead0adb0fdca4918ebcecb1ec573b17c7 Add support for server side OCSP stapling to libtls. 2016-11-05T15:13:26+00:00 beck 2016-11-05T15:13:26+00:00 urn:sha1:e11dddc2de1dbf045d34adf894146594aded7e8d Add support for server side OCSP stapling to netcat.