openbsd/src/lib/libtls, branch libressl-v2.4.3

Split the existing TLS cipher suite groups into four:

2016-07-13T16:30:48+00:00

"secure" (TLSv1.2+AEAD+PFS) "compat" (HIGH:!aNULL) "legacy" (HIGH:MEDIUM:!aNULL) "insecure" (ALL:!aNULL:!eNULL) This allows for flexibility and finer grained control, rather than having two extremes (an issue raised by Marko Kreen some time ago). ok beck@ tedu@

Revert previous - it introduces problems with a common privsep use case.

2016-07-07T14:09:03+00:00

Check that the given ciphers string is syntactically valid and results in

2016-07-06T16:47:18+00:00

at least one matching cipher suite. ok doug@

Always load CA, key and certificate files at the time the configuration

2016-07-06T16:16:36+00:00

function is called. This simplifies code and results in a single memory based code path being used to provide data to libssl. Errors that occur when accessing the specified file are now detected and propagated immediately. Since the file access now occurs when the configuration function is called, we now play nicely with privsep/pledge. ok beck@ bluhm@ doug@

Correctly handle an EOF that occurs prior to the TLS handshake completing.

2016-07-06T02:32:57+00:00

Reported by Vasily Kolobkov, based on a diff from Marko Kreen. ok beck@

Rename some of the internal error setting functions to more closely follow

2016-05-27T14:38:40+00:00

existing naming standards. Also provide functions for setting a struct tls_error * directly (rather than having to have a struct tls * or a struct tls_config *).

Avoid leaking ca_mem when freeing a tls_config.

2016-05-27T14:27:22+00:00

Fix function parameters that do not have an underscore prefix.

2016-05-27T14:21:24+00:00

typo fixes; Anthony Coulter

2016-05-27T11:25:57+00:00

Fix mangled function signatures.

2016-05-09T13:48:57+00:00

From Carlin Bingham , thanks!