| Commit message (Collapse) | Author | Files | Lines |
|---|
|
context used by an SSL object, so do not talk about the SSL_CTX
that "an SSL object was created from";
fixing an inaccuracy pointed out by jsing@.
|
|
Split the existing tls12_record_layer_write_mac() function so that we can
soon reuse part of it for the read side.
No functional change.
ok tb@
|
|
fails, to match the behaviour of ssl_create_cipher_list(). This also
agrees with the behaviour of SSL_set_ciphersuites(3) in OpenSSL.
Issue found while writing documentation.
OK jsing@
|
|
This should be a 'goto err' rather than returning.
|
|
content there. Clarify when the returned pointers become invalid,
which is far from obvious but sets surprising traps for the user.
For three of the functions, correct statements about when they fail.
Also improve a number of wordings while here.
OK beck@
|
|
happy
ok tb@
|
|
verification code.
ok jsing@
|
|
of staying with the new name constraint code this will be deleted
ok jsing@
|
|
In particular, figure what the handshake_func should be early on, so we
can just assign later.
ok beck@
|
|
Now that get_ssl_method is no longer used, we can garbage collect the
function pointer and some associated machinery.
ok beck@
|
|
|
|
If we use the default method (now TLSv1.3) and end up talking to a TLSv1.2
server that gives us a session ticket, then try to resume that session,
we end up trying to talk TLS without doing a handshake.
This is caused by the state (S3I(s)->hs.state) getting cleared, which
results in SSL_do_handshake() and others thinking they do not need to do
anything (as SSL_in_init() and SSL_in_before() are not true).
The reason this occurs is due to SSL_set_ssl_method() calling ssl_free()
and ssl_new() when switching methods. The end result is that the S3I(s)
has been freed and reallocated, losing the state in the process.
Since the state is part of the S3I(s) structure, move its initialisation
into ssl3_clear() - this ensures it gets correctly reinitialised across a
SSL_set_ssl_method() call.
Issue noticed by sthen@ with nginx and unifi.
ok beck@ tb@
|
|
SSL_set_ssl_method() checks to see if the method is already the same, so
we do not need to do this check in three different places. Switch to
dtls1_get_client_method()/tls1_get_client_method() to find the method -
this is a slight change in behaviour, however there is not much point
trying to resume a session on something other than a client.
ok beck@
|
|
Move assignment to the correct place so that the run continuation condition
actually checks what it is supposed to. Found by getting lucky when running
regress.
ok beck jsing
|
|
simpler and more consistent in x509_verify.c rev. 1.6;
OK beck@
|
