summaryrefslogtreecommitdiff
path: root/src/lib/libtls/tls_init.3 (follow)
Commit message (Collapse)AuthorAgeFilesLines
* split the tls_init(3) that had grown fat to allow healthy future growth;schwarze2017-01-251-885/+0
| | | | suggested by jsing@; "i would just chuck it in" jmc@
* accross -> across;jmc2017-01-241-2/+2
|
* Introduce ticket support. To enable them it is enough to set a positiveclaudio2017-01-241-1/+28
| | | | | | | | | | | | | | | | | | | | lifetime with tls_config_set_session_lifetime(). This enables tickets and uses an internal automatic rekeying mode for the ticket keys. If multiple processes are involved the following functions can be used to make tickets work accross all instances: - tls_config_set_session_id() sets the session identifier - tls_config_add_ticket_key() adds an encryption and authentication key For now only the last 4 keys added will be used (unless they are too old). If tls_config_add_ticket_key() is used the caller must ensure to add new keys regularly. It is best to do this 4 times per session lifetime (which is also the ticket key lifetime). Since tickets break PFS it is best to minimize the session lifetime according to needs. With a lot of help, input and OK beck@, jsing@
* Add missing documentation for tls_config_set_verify_depthclaudio2017-01-241-1/+5
| | | | Done together with jsing@
* Shuffle the deck chairs to bring them back in order.claudio2017-01-241-9/+9
|
* tls_config_add_keypair_mem is the function to add additional keypairs andclaudio2017-01-241-5/+5
| | | | | | ocsp_staple functions set the OCSP response they don't add them (which implies you can call them multiple times). Discussed with jsing@ beck@
* Change the return value of tls_config_set_protocols() andjsing2016-11-111-4/+4
| | | | | | | | | | tls_config_set_verify_depth() from void to int. This makes them consistent with all other tls_config_set_* functions and will allow for call time validation to be implemented. Rides libtls major bump. ok beck@
* fix misplaced quote by tls_peer_ocsp_this_updatebcook2016-11-051-2/+2
|
* tweak previous;jmc2016-11-051-6/+6
|
* Add support for server side OCSP stapling to libtls.beck2016-11-051-2/+16
| | | | Add support for server side OCSP stapling to netcat.
* Add ocsp_require_stapling config option for tls - allows a connectionbeck2016-11-041-2/+8
| | | | | | to indicate that it requires the peer to provide a stapled OCSP response with the handshake. Provide a "-T muststaple" for nc that uses it. ok jsing@, guenther@
* Don't do OCSP validation when we have disabled certificate verificationbeck2016-11-031-4/+4
| | | | | or certificate validation. ok jsing@
* bit more cleanup;jmc2016-11-021-9/+9
|
* tweak previous;jmc2016-11-021-32/+26
|
* Add OCSP client side support to libtls.beck2016-11-021-3/+118
| | | | | | | | | | | | | - Provide access to certificate OCSP URL - Provide ability to check a raw OCSP reply against an established TLS ctx - Check and validate OCSP stapling info in the TLS handshake if a stapled OCSP response is provided.` Add example code to show OCSP URL and stapled info into netcat. ok jsing@
* add a little more typing to the first callback argument.tedu2016-09-131-4/+4
| | | | it's always a tls context.
* minor tweaks;jmc2016-09-041-7/+7
|
* New sentence, new line. Also wrap at 80 chars.jsing2016-09-041-3/+7
|
* Add callback-based interface to libtls.bcook2016-09-041-1/+13
| | | | | | | This allows working with buffers and callback functions instead of directly on sockets or file descriptors. Original patch from Tobias Pape <tobias_at_netshed.de>. ok beck@
* State that libtls functions apply to both clients and servers, unlessjsing2016-09-041-47/+16
| | | | | | | | | | noted otherwise. Remove all of the now redundant "client and server" notations and change the client and server notations to "client only" and "server only". With input from jmc@. ok beck@ jmc@
* Provide an API that enables server side SNI support - add the ability tojsing2016-08-221-2/+27
| | | | | | | | provide additional keypairs (via tls_config_add_keypair_{file,mem}()) and allow the server to determine what servername the client requested (via tls_conn_servername()). ok beck@
* Rework parts of the libtls man page for clarity. Split out the connectionjsing2016-08-181-45/+35
| | | | | | | information related functions under their own heading and dedup the text relating to when these functions can be called. With input from and ok jmc@
* Add ALPN support to libtls.jsing2016-08-121-8/+28
| | | | ok beck@ doug@
* Revert previous since it adds new symbols.jsing2016-08-021-28/+8
| | | | Requested by deraadt@
* Add ALPN support to libtls.jsing2016-08-011-8/+28
| | | | ok beck@ doug@
* Split the existing TLS cipher suite groups into four:jsing2016-07-131-6/+11
| | | | | | | | | | | | "secure" (TLSv1.2+AEAD+PFS) "compat" (HIGH:!aNULL) "legacy" (HIGH:MEDIUM:!aNULL) "insecure" (ALL:!aNULL:!eNULL) This allows for flexibility and finer grained control, rather than having two extremes (an issue raised by Marko Kreen some time ago). ok beck@ tedu@
* typo fixes; Anthony Coultersthen2016-05-271-3/+3
|
* Fix mangled function signatures.jsing2016-05-091-5/+5
| | | | From Carlin Bingham <cb at viennan dot net>, thanks!
* spelling fix;jmc2016-04-281-2/+2
|
* Factor our the keypair handling in libtls. This results in more readablejsing2016-04-281-3/+17
| | | | | | | | | and self-contained code, while preparing for the ability to handle multiple keypairs. Also provide two additional functions that allow a public certificate and private key to be set with a single function call. ok beck@
* Rework the error handling in libtls so that we can associate errors withjsing2016-04-281-5/+10
| | | | | | | | | | | both configuration and contexts. This allows us to propagate errors that occur during configuration, rather than either just failing with no reason or delaying the failure until it can be propagated via the tls context. Also provide a tls_config_error() function for retrieving the last error from a tls_config *. ok bcook@
* no more outlen; from remcojmc2016-04-241-5/+3
| | | | ok bcook deraadt
* typos;jmc2016-04-241-3/+3
|
* update some client/server info; from jan klemkowjmc2015-11-091-5/+5
| | | | ok jsing
* Put tls_config_verify_client_optional() in the right place.jsing2015-10-161-6/+6
|
* Fix tpyo.jsing2015-10-161-3/+3
|
* trailing whitespace;jmc2015-10-081-6/+6
|
* Add tls_peer_cert_notbefore and tls_peer_cert_notafter to expose peer ↵beck2015-10-071-4/+30
| | | | | | | certificate validity times for tls connections. ok jsing@
* tweak previous;jmc2015-09-141-2/+2
|
* Provide tls_config_insecure_noverifytime() in order to be able to disablejsing2015-09-141-1/+9
| | | | | | certificate validity checking. ok beck@
* Remove useless quoting from .Fo and .Fn function names, to preventschwarze2015-09-141-4/+4
| | | | | | development of a cargo cult in case people look at existing files for examples. This achieves a consistent .Fo and .Fn quoting style across the whole tree.
* some conn_version and conn_cipher bits;jmc2015-09-141-8/+7
|
* add missing function return typesschwarze2015-09-141-2/+3
|
* add visibility of ciper and connection version stringsbeck2015-09-131-3/+23
| | | | ok jsing@
* Move connection info into it's own private structure allocated and filled inbeck2015-09-121-20/+10
| | | | | | at handshake time. change accessors to return const char * to remove need for caller to free memory. ok jsing@
* more for NAME;jmc2015-09-111-1/+4
|
* more cleanup;jmc2015-09-111-16/+15
|
* update NAME; various cleanupjmc2015-09-111-20/+20
|
* document tls_get_peer_subject, tls_get_peer_issuer, and tls_get_peer_hashbeck2015-09-111-2/+54
| | | | ok jsing@
* add tls_peer functions for checking names and issuers of peer certificates.beck2015-09-111-2/+29
| | | | ok jsing@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-25 19:03:01 +0000