openbsd - A mirror of https://github.com/libressl/openbsd.git

	Commit message (Collapse)	Author	Age	Files	Lines
*	Store errors that occur during a tls_accept_socket() call on the context	jsing	2015-03-31	1	-2/+3
\| \| \| \| \| \| \|	for the server, rather than on the context for the connection. This makes more sense than the current behaviour does. Issue reported by Tim van der Molen.
*	In the interests of being secure by default, make the default TLS ciphers	jsing	2015-02-22	1	-1/+4
\| \| \| \| \| \| \|	be those that are TLSv1.2 with AEAD and PFS. Provide a "compat" mode that allows the previous default ciphers to be selected. Discussed with tedu@ during s2k15.
*	Be consistent with naming - only use "host" and "hostname" when referring	jsing	2015-02-11	1	-3/+3
\| \| \| \| \| \| \| \| \| \|	to an actual host and use "servername" when referring to the name of the TLS server that we expect to be indentified in the server certificate. Likewise, rename verify_host to verify_name and use the term "name" throughout the verification code (rather than host or hostname). Requested by and ok tedu@
*	Convert tls_connect_fds() and tls_accept_socket() to the new OpenSSL error	jsing	2015-02-07	1	-1/+2
\| \| \| \| \| \| \|	dance handling code. This means that we get slightly useful messages when a TLS connection or accept fails. Requested by reyk@
*	Add tls_config_set_dheparams() to allow specification of the parameters to	jsing	2015-02-07	1	-2/+3
\| \| \| \| \| \| \| \| \|	use for DHE. This enables the use of DHE cipher suites. Rename tls_config_set_ecdhcurve() to tls_config_set_ecdhecurve() since it is only used to specify the curve for ephemeral ECDH. Discussed with reyk@
*	Allow to to load the CA chain directly from memory instead of	reyk	2015-01-22	1	-1/+3
\| \| \| \| \| \| \| \|	specifying a file. This enables CA verification in privsep'ed processes that are running chroot'ed without direct access to the certificate files. With feedback, tests, and OK from bluhm@
*	For non-blocking sockets tls_connect_fds() could fail with EAGAIN.	bluhm	2015-01-13	1	-2/+3
\| \| \| \| \| \| \| \|	Use the same logic from the read, write, accept functions to inform the caller wether a readable or writable socket is needed. After that event, the connect function must be called again. All the checks before connecting are done only once. OK tedu@
*	Add size_t to int checks for SSL functions.	doug	2014-12-17	1	-2/+4
\| \| \| \| \| \| \| \| \| \|	libtls accepts size_t for lengths but libssl accepts int. This verifies that the input does not exceed INT_MAX. It also avoids truncating size_t when comparing with int and adds printf-style attributes for tls_set_error(). with input from deraadt@ and tedu@ ok tedu@
*	Allow specific libtls hostname validation errors to propagate.	bcook	2014-12-07	1	-2/+2
\| \| \| \| \| \| \| \|	Remove direct calls to printf from the tls_check_hostname() path. This allows NUL byte error messages to bubble up to the caller, to be logged in a program-appropriate way. It also removes non-portable calls to getprogname(). ok jsing@
*	revert previous change for now, adjusting based on comments from jsing@	bcook	2014-12-07	1	-3/+2
\|
*	Allow specific libtls hostname validation errors to propagate.	bcook	2014-12-07	1	-2/+3
\| \| \| \| \| \| \| \| \| \| \| \| \|	Remove direct calls to printf from the tls_check_hostname() path. This allows NUL byte error messages to bubble up to the caller, to be logged in a program-appropriate way. It also removes non-portable calls to getprogname(). The semantics of tls_error() are changed slightly: the last error message is not necessarily preserved between subsequent calls into the library. When the previous call to libtls succeeds, client programs should treat the return value of tls_error() as undefined. ok tedu@
*	Rename libressl to libtls to avoid confusion and to make it easier to	jsing	2014-10-31	1	-0/+72
	distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.