| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
accepted via an existing pair of file descriptors.
Based on a diff from Jan Klemkow.
|
| |
|
|
|
|
|
| |
for the server, rather than on the context for the connection. This makes
more sense than the current behaviour does.
Issue reported by Tim van der Molen.
|
| |
|
|
| |
repeated use of tls_connect. ok jsing
|
| |
|
|
|
|
| |
them guaranteed to not conflict per POSIX.
ok espie@ guenther@
|
| | |
|
| |
|
|
|
|
|
| |
tls_config_insecure_noverifyname(), so that it is more accurate and keeps
inline with the distinction between DNS hostname and server name.
Requested by tedu@ during s2k15.
|
| |
|
|
| |
configuration.
|
| |
|
|
|
|
|
| |
be those that are TLSv1.2 with AEAD and PFS. Provide a "compat" mode that
allows the previous default ciphers to be selected.
Discussed with tedu@ during s2k15.
|
| | |
|
| | |
|
| |
|
|
| |
ok jsing
|
| | |
|
| |
|
|
| |
tls_config_set_protocols().
|
| | |
|
| |
|
|
|
|
|
|
|
| |
to be converted into a libtls protocols value. This allows for things like:
"tlsv1.0,tlsv1.1" (TLSv1.0 and TLSv1.1)
"all,!tlsv1.0" (all protocols except TLSv1.0)
Discussed with tedu@ and reyk@
|
| |
|
|
| |
Found by reyk@
|
| |
|
|
|
|
|
|
| |
that includes all currently supported protocols (TLSv1.0, TLSv1.1 and
TLSv1.2). Change all users of libtls to use TLS_PROTOCOLS_ALL so that they
maintain existing behaviour.
Discussed with tedu@ and reyk@.
|
| |
|
|
|
|
|
|
|
| |
as tls_connect(), however allows the name to use for verification to be
explicitly provided, rather than being inferred from the host value.
Requested by reyk@
ok reyk@ tedu@
|
| |
|
|
|
|
|
|
|
|
| |
to an actual host and use "servername" when referring to the name of the
TLS server that we expect to be indentified in the server certificate.
Likewise, rename verify_host to verify_name and use the term "name"
throughout the verification code (rather than host or hostname).
Requested by and ok tedu@
|
| |
|
|
|
|
|
|
|
| |
IPv4 or IPv6 address before trying to resolve the address with the
AI_ADDRCONFIG flag set. This makes sure that attempts to connect to
numeric IPs or loopback addresses are always possible and not
prevented by AI_ADDRCONFIG.
OK jsing@ tedu@
|
| |
|
|
|
|
|
| |
to ignore unsupported address families - eg. don't resolv IPv6 on
IPv4-only hosts.
OK jsing@
|
| | |
|
| |
|
|
|
|
|
|
| |
The tls_accept_socket() has been previously removed because the API is
not fixed yet; but it is also already used by httpd(8) and spamd(8) so
it is time to add it again and eventually change it later.
OK tedu@
|
| |
|
|
|
|
|
|
|
| |
into memory. This can be used for tls_config_set_ca_mem(),
tls_config_set_cert_mem() or tls_config_set_key_mem().
With input from jsing@, tedu@ and henning@
OK tedu@
|
| |
|
|
|
|
|
| |
dance handling code. This means that we get slightly useful messages when
a TLS connection or accept fails.
Requested by reyk@
|
| |
|
|
|
|
|
|
|
| |
use for DHE. This enables the use of DHE cipher suites.
Rename tls_config_set_ecdhcurve() to tls_config_set_ecdhecurve() since it
is only used to specify the curve for ephemeral ECDH.
Discussed with reyk@
|
| |
|
|
|
|
| |
failures return something that is actually useful to the caller.
ok reyk@
|
| |
|
|
|
| |
As discussed with beck@ jsing@ and others
OK beck@
|
| |
|
|
| |
OK jsing@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
specifying a file. This enables CA verification in privsep'ed
processes that are running chroot'ed without direct access to the
certificate files.
With feedback, tests, and OK from bluhm@
|
| |
|
|
|
|
|
|
| |
using the name of relayd relay or smtpd pki, use a 32 byte arc4random
buffer that should be unique for the context. This fixes an issue in
OpenSMTPD when a long pki name could break the configuration.
OK gilles@ benno@
|
| |
|
|
|
|
|
|
| |
Use the same logic from the read, write, accept functions to inform
the caller wether a readable or writable socket is needed. After
that event, the connect function must be called again. All the
checks before connecting are done only once.
OK tedu@
|
| |
|
|
|
| |
a compiler warning about shadowing a global declaration.
OK jsing@
|
| |
|
|
|
| |
because the API design isn't fully settled.
Requested by jsing@ and tedu@.
|
| |
|
|
| |
patch from Sunil at Nimmagadda dot net
|
| |
|
|
| |
Noticed while testing libtls on FreeBSD.
|
| |
|
|
|
|
|
|
|
|
| |
libtls accepts size_t for lengths but libssl accepts int. This verifies
that the input does not exceed INT_MAX. It also avoids truncating size_t
when comparing with int and adds printf-style attributes for
tls_set_error().
with input from deraadt@ and tedu@
ok tedu@
|
| |
|
|
|
|
|
|
| |
Remove direct calls to printf from the tls_check_hostname() path. This allows
NUL byte error messages to bubble up to the caller, to be logged in a
program-appropriate way. It also removes non-portable calls to getprogname().
ok jsing@
|
| |
|
|
|
|
|
| |
sk_GENERAL_NAME_pop_free() instead of sk_GENERAL_NAME_free(). The latter
only frees the stack itself and does not free the items.
From Basskrapfen on github.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Remove direct calls to printf from the tls_check_hostname() path. This allows
NUL byte error messages to bubble up to the caller, to be logged in a
program-appropriate way. It also removes non-portable calls to getprogname().
The semantics of tls_error() are changed slightly: the last error message is
not necessarily preserved between subsequent calls into the library.
When the previous call to libtls succeeds, client programs should treat the
return value of tls_error() as undefined.
ok tedu@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
established using a pair of existing file descriptors.
Based on a diff/request from Jan Klemkow.
Rides previous libtls rename/library bump.
Discussed with tedu@.
|
|
|
distinguish between LibreSSL (the project) and libressl (the library).
Discussed with many.
|
