A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_6_BASE 2024-08-31T12:47:24+00:00 2024-08-31T12:47:24+00:00 jsing 2024-08-31T12:47:24+00:00 urn:sha1:bbff3f79e48b648b440e142bdf24e3eb6c6fe707 2024-07-16T14:38:59+00:00 jsing 2024-07-16T14:38:59+00:00 urn:sha1:186e5094bb162a5279ad0a8b644561442bc0ac40 2024-07-11T13:51:47+00:00 tb 2024-07-11T13:51:47+00:00 urn:sha1:aeb0ba6683468b4ec77a76f5ea223a1af6d8158a 2024-06-28T14:50:37+00:00 tb 2024-06-28T14:50:37+00:00 urn:sha1:dc878800c7a13957d54e9d835af15bcfa26f417b 2024-06-05T04:50:36+00:00 tb 2024-06-05T04:50:36+00:00 urn:sha1:56dc29e63b7fa799231b28879d4a8259a18acb81 2024-03-20T10:38:05+00:00 jsing 2024-03-20T10:38:05+00:00 urn:sha1:0d9d9a5d218e051c66bca6e7d844cd95b2ede626 The new certificates are more representative of the real world. The old certificates use weak algorithms and expire in the very near future. Most of our regress has already been switched over, this changes the remainder. Thanks to Bernhard M. Wiedemann for reminding us of the upcoming expiry. ok tb@ 2024-02-03T15:58:34+00:00 beck 2024-02-03T15:58:34+00:00 urn:sha1:20afa90e552d2efed2187dbafc92170a3895e921 This version of GOST is old and not anywhere close to compliant with modern GOST standards. It is also very intrusive in libssl and makes a mess everywhere. Efforts to entice a suitably minded anyone to care about it have been unsuccessful. At this point it is probably best to remove this, and if someone ever showed up who truly needed a working version, it should be a clean implementation from scratch, and have it use something closer to the typical API in libcrypto so it would integrate less painfully here. This removes it from libssl in preparation for it's removal from libcrypto with a future major bump ok tb@ 2023-07-02T17:21:33+00:00 beck 2023-07-02T17:21:33+00:00 urn:sha1:4edd92a57f3a74829fe519f35b5c7c79e03ce0b0 Their time has long since past, and they should not be used. This change restricts ssl to versions 1.2 and 1.3, and changes the regression tests to understand we no longer speak the legacy protocols. For the moment the magical "golden" byte for byte comparison tests of raw handshake values are disabled util jsing fixes them. ok jsing@ tb@ 2023-05-24T09:15:14+00:00 tb 2023-05-24T09:15:14+00:00 urn:sha1:cb416a0ac54838a4c54249c6c74fbaa3aafa6d6b Without this, hostflags set on the SSL_CTX would not propagate to newly created SSL. This is surprising behavior that was changed in OpenSSL 1.1 by Christian Heimes after the issue was flagged by Quentin Pradet: https://bugs.python.org/issue43522 This is a version of the fix that landed in OpenSSL. There used to be a workaround in place in urllib3, but that was removed at some point. We haven't fixed this earlier since it wasn't reported. It only showed up after recent fallout of extraordinarily strict library checking in urllib3 coming from their own interpretation of the implications of PEP 644. ok jsing 2023-05-24T08:54:59+00:00 tb 2023-05-24T08:54:59+00:00 urn:sha1:0151931d7b9060a9d578a30bd59113ee37d19c9d This is currently an expected failure that will be fixed shortly.