| Commit message (Collapse) | Author | Files | Lines |
|---|
|
SSL_OP_TLS_ROLLBACK_BUG to no longer have any effect.
Update the manual page.
|
|
around the SSLv3/TLSv1.0 period... and buggy clients are buggy. This also
helps to clean up the RSA key exchange code.
ok "kill it with fire" beck@ tb@
|
|
because it was (1) woefully incomplete, (2) partially outdated
and wrong, (3) in parts imprecisely worded and hard to understand,
(4) excessively technical for a section 1 manual, (5) of excessive
size for this particular page, (6) and didn't belong here in the
first place because it essentially tried to document a C API -
SSL_CTX_set_cipher_list(3), which is now documented, so point to it.
|
|
collecting the information by inspecting the source code.
|
|
|
|
this to be "overridden" by the user supplied callback.
ok jsing@
|
|
triggered by OpenSSL commit a73d990e Feb 27 19:02:24 2018 +0100,
but with different content
|
|
|
|
suppresses any future config file loading.
ok schwarze@ with a nit from jsing@
|
|
Now that everything goes through the same code path, we can remove a layer
of indirection and just call ssl3_{read,write,peek} directly.
ok beck@ inoguchi@
|
|
These flags enabled experimental behaviour in the write path, which nothing
uses. Removing this code greatly simplifies ssl3_write().
ok beck@ inoguchi@ sthen@ tb@
|
|
|
|
Previously this incorrectly called tls_keypair_clear(), which results in
the private key being cleared, along with the certificate, OCSP staple and
pubkey hash. This breaks OCSP stapling if tls_config_clear_keys() is called
following tls_configure(), as is done by httpd.
Fix this by calling tls_keypair_clear_key() so that only the private key is
cleared, leaving the other public data untouched. While here, remove
tls_keypair_clear() and fold the necessary parts into tls_keypair_free().
ok beck@
|
|
being loaded behind our back, at a later point.
ok beck@
|
|
|
|
|
|
|
|
it may be something else. For primitive types it is possible that
a boolean int has been casted to an ASN1_VALUE pointer. Then the
64 bit read access to *pval may crash due to alignent or 32 bit
size.
bug report Anton Borowka; OK tedu@ jsing@ miod@
|
|
Found and fixed by Bernd Edlinger as part of OpenSSL commit
83b4049ab75e9da1815e9c854a9297bca3d4af6b
ok jsing, deraadt, bcook
|
|
Tighten up checks for various X509_VERIFY_PARAM functions, and
allow for the verify param to be poisoned (preculding future
successful cert validation) if the setting of host, ip, or email
for certificate validation fails. (since many callers do not
check the return code in the wild and blunder along anyway)
Inspired by some discussions with Adam Langley.
ok jsing@
|
|
(1) Evaluate the "set" argument, which says whether to create a new
RDN or to prepend or append to an existing one, before reusing it
for a different purpose, i.e. for the "set" field of the new
X509_NAME_ENTRY structure.
(2) When incrementing of some "set" fields is needed, increment the
correct ones: All those to the right of the newly inserted entry,
but not the one of that entry itself.
These two bugs caused wrong results whenever using loc != -1,
i.e. whenever inserting rather than appending entries, even when
using set == 0 only, that is, even when using single-values RDNs only.
Both bugs have been continuously present since at least SSLeay-0.8.1
(released July 18, 1997) and the second one since at least SSLeay-0.8.0
(released June 25, 1997), so both are over twenty years old.
I found these bugs by code inspection while trying to document the
function X509_NAME_ENTRY_set(3), which is public, but undocumented
in OpenSSL.
OK beck@, jsing@
|
|
|
|
From Edgar Pettijohn
|
|
|
|
SSL_CTX_get_default_passwd_cb(3) and
SSL_CTX_get_default_passwd_cb_userdata(3).
Merge the documentation, tweaked by me;
from Christian Heimes <cheimes at redhat dot com>
via OpenSSL commit 0c452abc Mar 2 12:53:40 2016 +0100.
|
|
X509_STORE_get0_param(3); write the documentation from scratch.
|
|
X509_OBJECT_get_type(3). It is undocumented in OpenSSL,
so write some documentation from scratch.
|
|
arbitrarily different, the array is in general no longer sorted.
This commit copies a small hidden bugfix from the OpenSSL commit
https://github.com/openssl/openssl/commit/fbb7b33b
the rest of which is merely cosmetics.
I discovered the bug independently while documenting sk_find(3).
Keep the library's idea of when an empty stack or a one-element stack
is sorted and when it is not bug-compatible with OpenSSL, even though
in fact, empty and one-element stacks are of course always sorted.
OK beck@
|
|
* Remove -tls1 option which has no effect.
* For -V, sort the fields in the order they are printed, and do not
talk about key size restrictions, nothing like that is printed.
|
|
Some options were missing, some were in the wrong section (CRL-related
or not), and there were some minor errors, typos, and omissions.
|
|
resulting fixes: markup of "command" below SYNOPSIS and links to the
config file formats below SEE ALSO
|
|
via OpenSSL commit 3266cf58 Mar 10 13:13:23 2018 -0500
|
|
BoringSSL rather than from OpenSSL and that it is not hooked into evp(3).
So delete all text from OpenSSL including the Copyright and license
and replace it by some text assembled from comments in BoringSSL
code and headers and some text written myself, all under ISC license.
In particular, also describe X25519_keypair(3), add SYNOPSIS, RETURN
VALUES, STANDARDS, and a reference to D. J. Bernsteins instructions
on how to use the algorithm. Delete the text related to EVP_PKEY
describing features we do not support.
|
|
|
|
|
|
from Matt Caswell <matt at openssl dot org>
via OpenSSL commit f929439f Mar 15 12:19:16 2018 +0000
|
|
manual page, which is below the threshold of originality, so there is
no need to change the Copyright headers. The rest of that page is less
clear and less precise than what we already have in our various pages.
|
|
The comment in EVP_DigestInit.pod is:
"EVP_MD_pkey_type() returns the NID of the public key signing algorithm
associated with this digest. For example EVP_sha1() is associated with
RSA so this will return NID_sha1WithRSAEncryption. Since digests and
signature algorithms are no longer linked this function is only retained
for compatibility reasons."
So there is no link anymore.
From <paul dot dale at oracle dot com>
via OpenSSL commit 79b49fb0 Mar 20 10:03:10 2018 +1000
|
|
from Kurt Roeckx <kurt at roeckx dot be>
via OpenSSL commit b38fa985 Mar 10 16:32:55 2018 +0100
|
|
EC_POINT_get_affine_coordinates_GF2m(3);
from David Benjamin <davidben at google dot com>
via OpenSSL commit ddc1caac Mar 6 14:00:24 2018 -0500
|
|
from <Bernd dot Edlinger at hotmail dot de>
via OpenSSL commit c911e5da Mar 19 14:20:53 2018 +0100
|
|
from <Matthias dot St dot Pierre at ncp dash e dot com>
via OpenSSL commit 36359cec Mar 7 14:37:23 2018 +0100
|
|
via OpenSSL commit d47eaaf4 Mar 9 07:11:13 2018 -0500
|
|
via OpenSSL commit 4a56d2a3 Feb 25 16:49:27 2018 +0300
|
|
1. setlocale(LC_ALL, "A"); setlocale(LC_CTYPE, "T"); setlocale(LC_ALL, NULL);
must return "A/T/A/A/A/A", not "A". Fix this by always initializing the
LC_ALL entry of newgl to "" in dupgl(). Reported by Karl Williamson
<public at khwilliamson dot com> on bugs@, thanks!
2. Do not leak newgl when strdup(3) fails in setlocale(3).
3. For setlocale(LC_ALL, "C/C/fr_FR.UTF-8/C/C/C"); correctly set
_GlobalRuneLocale; i found 2. and 3. while looking at the code.
Feedback on a buggy earlier version and OK martijn@.
|
|
Fixes for CVE-2018-0739.
Copied from commit below, and modified for adaption to our code.
https://github.com/openssl/openssl/commit/9310d45087ae546e27e61ddf8f6367f29848220d
ok bcook@ beck@ jsing@
|
|
on the web, so fix up SSLeay HISTORY accordingly
|
|
ok tobias
|
|
|
|
|
