openbsd/src/lib/libtls, branch OPENBSD_7_8

openbsd/src/lib/libtls, branch OPENBSD_7_8_BASE A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_8_BASE 2025-08-19T19:30:48+00:00 same crank for libssl and libtls as for libcrypto 2025-08-19T19:30:48+00:00 tb 2025-08-19T19:30:48+00:00 urn:sha1:ad0cded0ebd0a033077854cf6d330209fd396fe2 bump major for libssl and libtls to match libcrypto 2025-07-16T16:01:40+00:00 tb 2025-07-16T16:01:40+00:00 urn:sha1:36dcff8deef52b4bc04e78eeec7197ef029fd411 .Lb libtls libssl libcrypto 2025-07-07T10:54:00+00:00 schwarze 2025-07-07T10:54:00+00:00 urn:sha1:800b400429130c255973b130ac2376970630d5e9 OK tb@ and no objection from tedu@ libtls: abort handshake on no ALPN protcol overlap 2025-06-04T10:25:30+00:00 tb 2025-06-04T10:25:30+00:00 urn:sha1:4af06736be7bcd30d213be74f1456a917b18a581 RFC 7301, section 3.2: In the event that the server supports no protocols that the client advertises, then the server SHALL respond with a fatal "no_application_protocol" alert. This change makes tlsext_alpn_server_process() send the alert rather than pretending no callback was present. ok jsing minor libssl bump (SSL_OP_NO_RENEGOTIATION/SSL_OP_ALLOW_CLIENT_RENEGOTIATION) 2025-03-13T10:44:36+00:00 sthen 2025-03-13T10:44:36+00:00 urn:sha1:181f99fca485a8c857ea69a0c27cd192bb2d93f4 code #ifdef'ing these and compiled with new headers won't work as expected on earlier libraries minor libtls bump to match libssl bump ok tb@ Give libtls the same bump as libcrypto and libssl 2025-03-09T15:55:23+00:00 tb 2025-03-09T15:55:23+00:00 urn:sha1:03c85ab803a26b62081f7094f3db37752fe0c26d Document tls_peer_cert_common_name() 2024-12-10T08:42:12+00:00 tb 2024-12-10T08:42:12+00:00 urn:sha1:c94b3b4a953c20b000c195ce5e2ef6683eed6964 ok beck bump minor after symbol addition 2024-12-10T08:41:04+00:00 tb 2024-12-10T08:41:04+00:00 urn:sha1:33875d389c8fd1dfd905c7df51d2a99c0e2a197c expose tls_peer_cert_common_name() 2024-12-10T08:40:45+00:00 tb 2024-12-10T08:40:45+00:00 urn:sha1:db054d1724c886cd5458cd093791310cf44fb0ae Provide tls_peer_cert_common_name() 2024-12-10T08:40:30+00:00 tb 2024-12-10T08:40:30+00:00 urn:sha1:d3da05396af6da5d0c94da0425031aa4fd529ac9 There is currently no sane way of getting your hands on the common name or subject alternative name of the peer certificate from libtls. It is possible to extract it from the peer cert's PEM by hand, but that way lies madness. While the common name is close to being deprecated in the webpki, it is still the de facto standard to identify client certs. It would be nice to have a way to access the subject alternative names as well, but this is a lot more difficult to expose in a clean and sane C interface due to its multivaluedness. Initial diff from henning, with input from beck, jsing and myself henning and bluhm have plans of using this in syslogd. ok beck