summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Provide SSL_CTX_up_ref().jsing2018-02-141-1/+2
|
* Provide SSL_CTX_get0_param() and SSL_get0_param().jsing2018-02-141-2/+3
| | | | | Some applications that use X509_VERIFY_PARAM expect these to exist, since they're also part of the OpenSSL 1.0.2 API.
* Bring back the NPN related symbols.jsing2017-08-301-2/+8
| | | | | | | | | | | Several pieces of software make use of these based on a conditional around OPENSSL_NPN_NEGOTIATED, rather than using the presence of the symbols, the non-existence of a OPENSSL_NO_NEXTPROTONEG define or even the existence of the TLS extension type. Unfortunately we cannot remove OPENSSL_NPN_NEGOTIATED since the API for ALPN was effectively botched and reuses two parts from the NPN implementation, rather than providing ALPN specific or generic versions.
* Completely remove NPN remnants.jsing2017-08-281-8/+2
| | | | Based on a diff from doug@, similar diff from inoguchi@
* Remove support for the TLS padding extension.jsing2017-08-131-4/+3
| | | | | | | | This was added as a workaround for broken F5 TLS termination, which then created issues talking to broken IronPorts. The size of the padding is hardcoded so it cannot be used in any generic sense. ok bcook@ beck@ doug@
* Nuke SSL_OP_CRYPTOPRO_TLSEXT_BUG.jsing2017-08-131-9/+3
| | | | | | | This was a workaround for a server that needed to talk GOST to old/broken CryptoPro clients. This has no impact on TLS clients that are using GOST. ok bcook@ beck@ doug@
* Clean up the EC key/curve configuration handling.jsing2017-08-101-3/+2
| | | | | | | | | | | | | | | | | | | | | | Over the years OpenSSL grew multiple ways of being able to specify EC keys (and/or curves) for use with ECDH and ECDHE key exchange. You could specify a static EC key (SSL{_CTX,}_set_tmp_ecdh()), use that as a curve and generate ephemeral keys (SSL_OP_SINGLE_ECDH_USE), provide the EC key via a callback that was provided with insufficient information (SSL{_CTX,}_set_tmp_ecdh_cb()) or enable automatic selection and generation of EC keys via SSL{_CTX,}_set_ecdh_auto(). This complexity leads to problems (like ECDHE not being enabled) and potential weird configuration (like being able to do ECDHE without the ephemeral part...). We no longer support ECDH and ECDHE can be disabled by removing ECDHE ciphers from the cipher list. As such, permanently enable automatic EC curve selection and generation, effectively disabling all of the configuration knobs. The only exception is the SSL{_CTX,}_set_tmp_ecdh() functions, which retain part of their previous behaviour by configuring the curve of the given EC key as the only curve being enabled. Everything else becomes a no-op. ok beck@ doug@
* Move state from ssl->internal to the handshake structure.beck2017-05-071-7/+7
| | | | | | | while we are at it, convert SSLerror to use a function internally, so that we may later allocate the handshake structure and check for it ok jsing@
* Provide SSL{,_CTX}_set_{min,max}_proto_version() functions.jsing2017-05-061-1/+10
| | | | | | Rides minor bump. ok beck@
* Define values for SSL_CTRL_SET_GROUPS{,_LIST} and wire them up to thejsing2017-02-051-14/+6
| | | | | | | | SSL_{,CTX_}ctrl() functions. As crazy as it is, some software appears to call the control functions directly rather than using the macros (or functions) provided by the library. Discussed with beck@ and sthen@
* Provide an SSL_OP_NO_CLIENT_RENEGOTIATION option that disallowsjsing2017-01-311-1/+3
| | | | | | | client-initiated renegotiation. The current default behaviour remains unchanged. ok beck@ reyk@
* Limit the number of sequential empty records that we will processbeck2017-01-261-1/+2
| | | | | | before yielding, and fail if we exceed a maximum. loosely based on what boring and openssl are doing ok jsing@
* Remove a sess_cert reference from a comment in the public header.jsing2017-01-261-5/+2
| | | | Noted by zhuk@
* Provide defines for SSL_CTRL_SET_CURVES/SSL_CTRL_SET_CURVES_LIST for thingsjsing2017-01-251-1/+15
| | | | | | | | that are conditioning on these. From BoringSSL. ok beck@
* Add support for setting the supported EC curves viajsing2017-01-241-1/+14
| | | | | | | | | | | | | SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous SSL{_CTX}_set1_curves{_list} names. This also changes the default list of EC curves to be X25519, P-256 and P-384. If you want others (such a brainpool) you need to configure this yourself. Inspired by parts of BoringSSL and OpenSSL. ok beck@
* unifdef OPENSSL_NO_BIO - we do not support this in any form.jsing2017-01-241-15/+1
| | | | ok beck@
* move default_passwd_cb and default_passwd_cb_userdata back intobeck2017-01-231-1/+12
| | | | | | | the ssl_ctx from internal - these are used directly by python and openvpn and a few other things - we have the set accessors but the get accessors were added in 1.1 and these roll their own caveat OPENSSL_VERSION chickenpluckery
* Move options and mode from SSL_CTX and SSL to internal, since these can bejsing2017-01-231-6/+3
| | | | set and cleared via existing functions.
* Split most of SSL_METHOD out into an internal variant, which is opaque.jsing2017-01-231-27/+7
| | | | Discussed with beck@
* Remove ssl_ctrl, ssl_ctx_ctrl, ssl_callback_ctrl and ssl_ctx_callback_ctrljsing2017-01-231-5/+1
| | | | | | | from SSL_METHOD, replacing usage with direct calls to the appropriate functions. ok beck@
* send state and rstate from ssl_st into internal. There are accessorsbeck2017-01-231-4/+1
| | | | | so these should not be diddled with directly ok jsing@
* move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant andbeck2017-01-231-1/+9
| | | | other perversions touches them sickly and unnaturally.
* Move a large part of ssl_st into internal, so we can see what squeals.beck2017-01-231-103/+1
| | | | ok jsing@
* Move ex_data, next and prev from SSL_SESSION to internal.jsing2017-01-231-6/+1
| | | | ok beck@
* Move most of the fields in SSL_CTX to internal - the ones that remain arejsing2017-01-231-53/+2
| | | | | | known to be in use. ok beck@
* move the callbacks from ssl_st to internalbeck2017-01-231-29/+3
| | | | ok jsing@
* Move callback function pointers and argument pointers from SSL_CTX tojsing2017-01-231-58/+1
| | | | | | internal. ok beck@
* Move not_resumable and sess_cert from SSL_SESSION to internal.jsing2017-01-231-9/+4
| | | | ok beck@
* Remove heartbeat related fields from the SSL_CTX, which are unusedjsing2017-01-231-9/+1
| | | | (thankfully).
* Move the stats struct from SSL_CTX to internal.jsing2017-01-231-20/+1
| | | | ok beck@
* Move ALPN and NPN fields from SSL/SSL_CTX to internal.jsing2017-01-221-57/+1
| | | | ok beck@
* Move internal parts of ssl_session_st to internalbeck2017-01-221-5/+1
| | | | ok jsing@
* Move recently added min_version/max_version from SSL and SSL_CTX to theirjsing2017-01-221-7/+1
| | | | opaque structs.
* Convert publically visible structs to translucent structs.jsing2017-01-221-3/+13
| | | | | | | | | | | | | This change adds an internal opaque struct for each of the significant publically visible structs. The opaque struct is then allocated and attached to the publically visible struct when the appropriate *_new() function is called, then cleared and freed as necessary. This will allow for changes to be made to the internals of libssl, without requiring a major bump each time the publically visible structs are modified. ok beck@
* Add support for SSL_get_server_tmp_key().jsing2016-12-301-2/+7
| | | | ok doug@
* Add minimum and maximum version fields to SSL, SSL_CTX and SSL_METHODjsing2016-12-211-1/+10
| | | | | | for future work. Discussed with beck@
* Fix some linewrapping glitchesguenther2016-11-041-7/+5
| | | | ok jsing@
* Expand another LHASH_OF macro.jsing2016-11-021-2/+2
|
* Expand DECLARE_LHASH_OF and LHASH_OF macros.jsing2016-11-021-3/+5
|
* Expand DECLARE_PEM_rw macro.jsing2016-11-021-2/+7
|
* Sort the obsolete flags.doug2015-10-251-6/+6
|
* Mark SSL_OP_NO_{COMPRESSION,SSLv2,SSLv3} as obsolete.doug2015-10-251-5/+4
| | | | | | For backward compatibility, the flags are redefined as 0. ok jsing@
* Remove support for DTLS_BAD_VER. We do not support non-standard andjsing2015-09-101-4/+2
| | | | | | | incomplete implementations just so that we can interoperate with products from vendors who have not bothered to fix things in the last ~10 years. ok bcook@ miod@
* Remove SSLv3 support from LibreSSL.doug2015-08-271-5/+1
| | | | | | | | | | This is the first wave of SSLv3 removal which removes the main SSLv3 functions. Future commits will remove the rest of the SSLv3 support. Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@, sthen@, naddy@, and deraadt@. ok jsing@, beck@
* Add TLS_method, TLS_client_method and TLS_server_method.doug2015-07-191-1/+4
| | | | | | | | | | | | | | | | Use these instead of SSLv23_*method when you want to make sure TLS is used. By default, we disable SSLv3 but it's still possible for the user to re-enable it. TLS_*method does not allow SSLv3. Both BoringSSL and (next version of) OpenSSL have these methods. However, they have changed the implementation significantly. We will as well, but not right now. Riding the libssl major bump. ok miod@ bcook@
* Remove SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER workaround.doug2015-07-181-3/+2
| | | | | | This was a hack to work around problems on IE 6 with SSLv3. ok miod@ bcook@
* Remove support for the SSL_OP_TLS_D5_BUG compat hack from SSLeay.doug2015-07-181-3/+2
| | | | | | | | This is a 17 year old workaround from SSLeay 0.9.0b. It was for clients that send RSA client key exchange in TLS using SSLv3 format (no length prefix). ok jsing@
* Remove compat hack that disabled ECDHE-ECDSA on OS X.doug2015-07-171-3/+2
| | | | | | | | | For a few old releases, ECDHE-ECDSA was broken on OS X. This option cannot differentiate between working and broken OS X so it disabled ECDHE-ECDSA support on all OS X >= 10.6. 10.8-10.8.3 were the faulty releases but these are no longer relevant. Tested on OS X 10.10 by jsing. ok jsing@
* Remove workaround for TLS padding bug from SSLeay days.doug2015-07-171-3/+2
| | | | | | | | | OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years. Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5. ok jsing@
* Make SSL_OP_ALL readable.jsing2015-06-201-2/+9
| | | | ok deraadt@ doug@ millert@ miod@ sthen@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 19:02:51 +0000