summaryrefslogtreecommitdiff
path: root/src/lib/libtls/tls_config.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Avoid leaking ca_mem when freeing a tls_config.jsing2016-05-271-1/+2
|
* Factor our the keypair handling in libtls. This results in more readablejsing2016-04-281-14/+100
| | | | | | | | | and self-contained code, while preparing for the ability to handle multiple keypairs. Also provide two additional functions that allow a public certificate and private key to be set with a single function call. ok beck@
* Rework the error handling in libtls so that we can associate errors withjsing2016-04-281-3/+15
| | | | | | | | | | | both configuration and contexts. This allows us to propagate errors that occur during configuration, rather than either just failing with no reason or delaying the failure until it can be propagated via the tls context. Also provide a tls_config_error() function for retrieving the last error from a tls_config *. ok bcook@
* clean some ugly intendation wartsderaadt2015-09-291-2/+2
|
* Provide tls_config_insecure_noverifytime() in order to be able to disablejsing2015-09-141-1/+8
| | | | | | certificate validity checking. ok beck@
* Add support for preferring the server's cipher list or the client's cipherjsing2015-09-101-1/+15
| | | | | | | | list. Prefer the server's cipher list by default. Based on a diff from Kyle Thompson <jmp at giga dot moe>. ok beck@ bcook@
* Indent labels with a space so that diff -p is more friendly.jsing2015-09-091-2/+2
| | | | Requested by bluhm@
* Add client certificate support. Still needs a few tweaks but this willbeck2015-09-091-1/+13
| | | | | ride upcoming minor bump ok jsing@
* Rename tls_config_insecure_noverifyhost() tojsing2015-02-221-6/+5
| | | | | | | tls_config_insecure_noverifyname(), so that it is more accurate and keeps inline with the distinction between DNS hostname and server name. Requested by tedu@ during s2k15.
* Check return values when setting dheparams and ecdhecurve for the defaultjsing2015-02-221-11/+14
| | | | configuration.
* In the interests of being secure by default, make the default TLS ciphersjsing2015-02-221-1/+13
| | | | | | | be those that are TLSv1.2 with AEAD and PFS. Provide a "compat" mode that allows the previous default ciphers to be selected. Discussed with tedu@ during s2k15.
* Add a tls_config_parse_protocols() function that allows a protocols stringjsing2015-02-121-1/+60
| | | | | | | | | to be converted into a libtls protocols value. This allows for things like: "tlsv1.0,tlsv1.1" (TLSv1.0 and TLSv1.1) "all,!tlsv1.0" (all protocols except TLSv1.0) Discussed with tedu@ and reyk@
* Fix handling of "legacy" mode for tls_config_set_dheparams().jsing2015-02-121-2/+2
| | | | Found by reyk@
* Be consistent with naming - only use "host" and "hostname" when referringjsing2015-02-111-3/+4
| | | | | | | | | | to an actual host and use "servername" when referring to the name of the TLS server that we expect to be indentified in the server certificate. Likewise, rename verify_host to verify_name and use the term "name" throughout the verification code (rather than host or hostname). Requested by and ok tedu@
* Add tls_config_set_dheparams() to allow specification of the parameters tojsing2015-02-071-5/+25
| | | | | | | | | use for DHE. This enables the use of DHE cipher suites. Rename tls_config_set_ecdhcurve() to tls_config_set_ecdhecurve() since it is only used to specify the curve for ephemeral ECDH. Discussed with reyk@
* Allow to to load the CA chain directly from memory instead ofreyk2015-01-221-1/+8
| | | | | | | | specifying a file. This enables CA verification in privsep'ed processes that are running chroot'ed without direct access to the certificate files. With feedback, tests, and OK from bluhm@
* Rename libressl to libtls to avoid confusion and to make it easier tojsing2014-10-311-0/+201
distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-25 22:21:51 +0000