| Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
sending back illegal parameter if our phh key share request type
is not 0 or 1.
ok jsing@ tb@
|
|
ok tb@ jsing@
|
|
conflict against a potential define min() from some other scope.
|
|
According to RFC 8446 section 4.4.2.4, a client receiving an empty
certificate list must abort the handshake with a decode error alert.
ok beck@ inoguchi@ tb@ ('it rarely is the alert you'd expect it to be...')
|
|
Enabled by -g option, and default to disabled (RSA certificate is used)
|
|
|
|
|
|
After post-handshake handshake messages have been processed, we need to
return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter
will cause us to try to read another TLS record, when there may not be
any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
|
The RFC requires that a server always provide a certificate for
authentication. Ensure that this is the case, rather than proceeding and
attempting validation. In the case where validation was disabled and the
server returned an empty certificate list, this would have previously
resulted in a NULL pointer deference.
Issue reported by otto@
ok inoguchi@ tb@
|
|
This was missed in previous tls13_server.c commit.
ok inoguchi@ tb@
|
|
A TLSv1.3 server must always send a certificate - return an error and abort
the handshake if none is available.
ok inoguchi@ tb@
|
|
OK beck@, who was amused by the "darkly comic value of reading" it
|
|
|
|
|
|
Enabled by -e option, and default to disabled (RSA certificate is used)
|
|
|
|
packages to appear
|
|
|
|
- OpenSSL1.1.1 with TLSv1.3 does not call SSL_SESSION_print() until NewSessionTicket arrival
- Shorten function name
|
|
OTHER_OPENSSL default to eopenssl11
|
|
This ensures that a TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 client can talk
with an appropriately configured server and vice versa.
|
|
|
|
|
|
This allows a server configured to only support TLSv1.2 and earlier, to
correctly handle connections from a TLSv1.3 capable client.
Issue reported by pvk@
ok inoguchi@ tb@
|
|
Switch the legacy version when processing the server hello, rather than
when the client hello has been sent. This ensures that we accept a
response from the server that has a record version other than
TLS1_2_VERSION, as is the case where the server is negotiating TLSv1.0
or TLSv1.1.
Issue spotted by inoguchi@
ok inoguchi@ tb@
|
|
ok jsing@ tb@
|
|
- Add -tls1_3 and -no_tls1_3 to openssl(1) s_server
- Stop using version pinned methods, instead setting the min and max protocol versions
ok jsing@ tb@
|
|
|
|
|
|
ok beck@ tb@
|
|
|
|
|
|
ok beck@ tb@
|
|
When legacy version is below TLSv1.2 ensure that the record version is
SSL3/TLS, however when the legacy version is set to TLSv1.2 require this
specifically.
ok beck@ tb@
|
|
This will be used to handle record version checks.
ok tb@
|
|
Use this to push an error on to the SSL error stack so that we report the
details of the alert that we sent, rather than failing with an unknown
error.
ok tb@
|
|
This makes the code more readable, requires less code churn when adding
a new callback and is likely to avoid bugs due to function argument
ordering.
ok beck@ inoguchi@ tb@
|
|
This correctly handles session being non-NULL and sets up a few more
things, including ssl_version. Also stop setting the ssl_version to the
server_version, as this is only used on the client side.
ok tb@
|
|
While we are in here also make it notice if time values in a certificate
are bogus, and say so in the output.
ok bcook@ jsing@
|
|
If the client has requested middle box compatibility mode by sending
a non-empty legacy_session_id, the server must send a dummy CCS right
after its first handshake message. This means right after ServerHello
or HelloRetryRequest.
Two important improvements over the backed-out diffr: make sure that
First: client and server can send their dummy CCS at the correct moment
(right before the next flight or right after the current flight).
Second: as jsing noted, we also need to deal with the corner case that
tls13_send_dummy_ccs() can return TLS13_IO_WANT_POLLOUT.
with/ok jsing
|
|
ok beck@
|
|
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_*
defines, provide our own TLS13_ALERT_* defines and use those. This also
provides the alerts that are new to TLSv1.3.
ok beck@
|
|
debug is on. otherwise, just retry. Fixes problems this creates in
testing.
ok jsing@ tb@
|
|
This makes it easier to debug TLSv1.3 handshake failures.
"Yes please!" tb@, ok beck@
|
|
The OCSP response length is currently an integer, which is overloaded with
-1 meaning "unset". Use a size_t for the OCSP response length and infer
unset from the OCSP response being NULL. This makes code more readable,
simpler and less error prone.
ok beck@
|
|
With TLSv1.3 we end up parsing extensions from more than just these two
messages. This can result in variables (like the selected alpn) being
freed when things still need them.
ok tb@
|
|
This variable is currently overloaded - a value of -1 means that it is
"unset" and any other value is a length.
ok tb@
|
|
with TLSv1.2 servers, since it makes clients send their dummy CCS too
early... There's an obvious but dirty bandaid which I can't bring myself
to applying - this business is already disgusting enough.
Issue found the hard way by sthen
|
