summaryrefslogtreecommitdiff
path: root/src/lib/libtls/tls_ocsp.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Simplify some code by using X509_STORE_CTX_get_obj_by_subject()tb2021-10-311-8/+8
| | | | ok beck jsing
* libtls: Don't reach into X509_STORE_CTX.tb2021-10-211-12/+20
| | | | ok jsing
* OCSP_basic_verify() doesn't set errno, so use tls_set_errorx()tb2021-03-231-2/+2
| | | | ok inoguchi
* Add missing RCS tag.tb2019-12-031-0/+1
|
* Do not bother NULLing pointers in memory that is freed immediately after.jsing2018-02-051-3/+1
|
* Be consistent with the goto label names used in libtls code.jsing2018-02-051-18/+19
| | | | No change to generated assembly.
* Keep track of which keypair is in use by a TLS context.jsing2017-09-201-11/+11
| | | | | | | | | | This fixes a bug where by a TLS server with SNI would always only return the OCSP staple for the default keypair, rather than returning the OCSP staple associated with the keypair that was selected via SNI. Issue reported by William Graeber and confirmed by Andreas Bartelt. Fix tested by William Graeber and Andreas Bartelt - thanks!
* Slightly restructure tls_ocsp_verify_cb() to make it more like libtls code.jsing2017-09-201-6/+7
|
* Provide a useful error if there are no OCSP URLs in the peer certificate.jsing2017-09-201-1/+4
|
* Fix indentation.jsing2017-09-201-1/+1
|
* Plug a memory leak. The main_cert needs to be X509_free()ed sinceclaudio2017-05-161-0/+2
| | | | | | SSL_get_peer_certificate() increases the ref count whereas extra_certs do not because SSL_get_peer_cert_chain() won't increase ref counts. OK beck@
* Move the ocsp staple to being part of the keypair structure internally,beck2017-01-291-6/+8
| | | | | | | so that it does not send back bogus staples when SNI is in use. (Further change is required to be able to use staples on all keypairs and not just the main one) ok jsing@
* More s/OSCP/OCSP/ typostom2017-01-271-1/+1
| | | | ok jmc@
* Add support for server side OCSP stapling to libtls.beck2016-11-051-2/+32
| | | | Add support for server side OCSP stapling to netcat.
* rename ocsp_ctx to ocspbeck2016-11-051-57/+57
| | | | ok jsing@
* make public ASN1_time_parse and ASN1_time_tm_cmp to replace former hiddenbeck2016-11-041-2/+1
| | | | | | functions.. document with a man page. bump majors on libtls, libssl, libcrypto ok jsing@ guenther@
* Add ocsp_require_stapling config option for tls - allows a connectionbeck2016-11-041-1/+6
| | | | | | to indicate that it requires the peer to provide a stapled OCSP response with the handshake. Provide a "-T muststaple" for nc that uses it. ok jsing@, guenther@
* Don't do OCSP validation when we have disabled certificate verificationbeck2016-11-031-1/+4
| | | | | or certificate validation. ok jsing@
* Fix handshake failures:beck2016-11-031-20/+26
| | | | | split out internals of OCSP verification to allow callback to verify before TLS handshake is complete
* fix shadow declaration of time in parameter list.beck2016-11-021-2/+2
| | | | ok jsing@
* Ensure handshake is complete before processing an ocsp response for a ctxbeck2016-11-021-0/+3
| | | | ok jsing@
* Add OCSP client side support to libtls.beck2016-11-021-0/+399
- Provide access to certificate OCSP URL - Provide ability to check a raw OCSP reply against an established TLS ctx - Check and validate OCSP stapling info in the TLS handshake if a stapled OCSP response is provided.` Add example code to show OCSP URL and stapled info into netcat. ok jsing@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 07:20:18 +0000