summaryrefslogtreecommitdiff
path: root/src/lib/libtls (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Add tls_peer_cert_chain_pem - To retreive the peer certificate and chainbeck2017-04-057-6/+77
| | | | | | | as PEM format. This allows for it to be used or examined with tools external to libtls bump minor ok jsing@
* Internal changes to allow for relayd engine privsep. sends the hash of thebeck2017-04-055-29/+87
| | | | | | public key as an identifier to RSA, and adds an function for relayd to use to disable private key checking when doing engine privsep. ok jsing@
* fix error in Dt; from robert kleinjmc2017-03-021-3/+3
|
* Bump minors due to symbol addition.jsing2017-02-281-1/+1
|
* spelling fix;jmc2017-02-201-2/+2
|
* document tls_config_error(3) RETURN VALUES, improve what is saidschwarze2017-02-202-6/+59
| | | | | about tls_error(3), and warn about some traps; OK jmc@
* tweak previous;jmc2017-01-312-12/+8
|
* Add tls_config_[add|set]keypair_ocsp functions so that ocsp staples may bebeck2017-01-316-58/+209
| | | | | | | | added associated to a keypair used for SNI, and are usable for more than just the "main" certificate. Modify httpd to use this. Bump libtls minor. ok jsing@
* Disable client-initiated renegotiation for libtls servers.jsing2017-01-311-1/+3
| | | | ok beck@ reyk@
* Marko Kreen contributed significantly to the ocsp stuff for libtlsbeck2017-01-291-2/+3
|
* Move the ocsp staple to being part of the keypair structure internally,beck2017-01-293-14/+32
| | | | | | | so that it does not send back bogus staples when SNI is in use. (Further change is required to be able to use staples on all keypairs and not just the main one) ok jsing@
* add HISTORY and AUTHORSschwarze2017-01-2812-24/+256
|
* Fix Copyright notices; ok beck@ jsing@ tedu@schwarze2017-01-2711-28/+43
|
* More s/OSCP/OCSP/ typostom2017-01-271-1/+1
| | | | ok jmc@
* fix Dt;jmc2017-01-261-3/+3
|
* Use a flag to track when we need to call SSL_shutdown(). This avoids anjsing2017-01-264-5/+11
| | | | | | | | | issue where by calling tls_close() on a TLS context that has not attempted a handshake, results in an unexpected failure. Reported by Vinay Sajip. ok beck@
* Bump TLS_API due to new features being added earlier this week.jsing2017-01-261-2/+2
|
* Bump libtls minor due to symbol additions earlier this week.jsing2017-01-261-1/+1
|
* split the tls_init(3) that had grown fat to allow healthy future growth;schwarze2017-01-2515-888/+1474
| | | | suggested by jsing@; "i would just chuck it in" jmc@
* Bump libssl and libtls minors due to symbol additions.jsing2017-01-241-1/+1
|
* accross -> across;jmc2017-01-241-2/+2
|
* Introduce ticket support. To enable them it is enough to set a positiveclaudio2017-01-246-14/+251
| | | | | | | | | | | | | | | | | | | | lifetime with tls_config_set_session_lifetime(). This enables tickets and uses an internal automatic rekeying mode for the ticket keys. If multiple processes are involved the following functions can be used to make tickets work accross all instances: - tls_config_set_session_id() sets the session identifier - tls_config_add_ticket_key() adds an encryption and authentication key For now only the last 4 keys added will be used (unless they are too old). If tls_config_add_ticket_key() is used the caller must ensure to add new keys regularly. It is best to do this 4 times per session lifetime (which is also the ticket key lifetime). Since tickets break PFS it is best to minimize the session lifetime according to needs. With a lot of help, input and OK beck@, jsing@
* Add missing documentation for tls_config_set_verify_depthclaudio2017-01-241-1/+5
| | | | Done together with jsing@
* Shuffle the deck chairs to bring them back in order.claudio2017-01-241-9/+9
|
* tls_config_add_keypair_mem is the function to add additional keypairs andclaudio2017-01-241-5/+5
| | | | | | ocsp_staple functions set the OCSP response they don't add them (which implies you can call them multiple times). Discussed with jsing@ beck@
* Disable session cache and tickets by default.claudio2017-01-221-1/+5
| | | | OK beck@ jsing@
* Wrap long lines.jsing2017-01-221-4/+7
|
* Bump majors for libssl and libtls following the translucent struct change.jsing2017-01-221-1/+1
| | | | Further changes to the publically visible structs will ride this bump.
* whitespacederaadt2017-01-131-3/+3
|
* Inline strlen() call to reduce/simplify code.jsing2017-01-121-5/+2
|
* Inline tls_get_new_cb_bio() from the only place that it gets called,jsing2017-01-121-22/+11
| | | | | simplifying the code. Also check the provided read and write callbacks before assigning to the context.
* If tls_set_cbs() fails an error will already be specified, so do notjsing2017-01-122-8/+4
| | | | replace it with a less specific one.
* Simplify the TLS callback BIO code - a pointer to the tls context can bejsing2017-01-121-66/+7
| | | | | | | stored directly in bio->ptr, rather than allocating and deallocating an intermediate struct. Diff from Marko Kreen <markokr at gmail dot com> - thanks!
* If tls_get_new_cb_bio() fails, an error will already be set.jsing2017-01-121-5/+2
|
* If no callbacks are specified, return after setting an error rather thanjsing2017-01-121-2/+4
| | | | | | continuing on. Also noticed by Marko Kreen.
* Avoid leaking conninfo servername.jsing2017-01-091-1/+3
| | | | Issue found by and fix from Shuo Chen <chenshuo at chenshuo dot com>.
* If certificate verification has been disabled, do not attempt to load ajsing2017-01-031-5/+9
| | | | | | | CA chain or specify CA paths. This prevents attempts to access the file system, which may fail due to pledge. ok bluhm@
* Revert previous - the original code was correct since X509_verify_cert()jsing2017-01-031-5/+5
| | | | | | | | | | | should not have changed the X509_STORE_CTX error value on success and it was initialised to X509_V_OK by X509_STORE_CTX_init(). Other software also depends on this behaviour. Previously X509_verify_cert() was mishandling the X509_STORE_CTX error value when validating alternate chains. This has been fixed and further changes now explicitly ensure that the error value will be set to X509_V_OK if X509_verify_cert() returns success.
* fix cert verify. a cert with an alt chain may verify but leave an errortedu2017-01-021-5/+5
| | | | | | in the context. don't look for errors in case of success. fixes spurious verify errors. guilty change tracked and fix tested by sthen
* Hook up a certificate verify callback so that we can set user friendlyjsing2016-12-262-8/+31
| | | | | | | | | | | | | | | | | | error messages, instead of libssl error strings. This gives us messages like: certificate verification failed: certificate has expired Instead of: 14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed This also lets us always enable peer verification since the no verification case is now handled via the callback. Tested by tedu@ ok beck@
* Bump libcrypto/libssl/libtls majors due to libcrypto symbol removal andjsing2016-12-211-1/+1
| | | | changes to libssl non-opaque structs.
* Bump TLS_API due to recent feature additions and changes.jsing2016-11-111-2/+2
|
* Change the return value of tls_config_set_protocols() andjsing2016-11-113-12/+18
| | | | | | | | | | tls_config_set_verify_depth() from void to int. This makes them consistent with all other tls_config_set_* functions and will allow for call time validation to be implemented. Rides libtls major bump. ok beck@
* Disable ec assembly for amd64 pending fixes for ssh, and bumpbeck2016-11-111-2/+2
| | | | majors appropriately
* Set the callback on the correct ssl_ctx for the SNI case, instead ofbeck2016-11-061-2/+2
| | | | | the master only. ok jsing@
* fix misplaced quote by tls_peer_ocsp_this_updatebcook2016-11-051-2/+2
|
* tweak previous;jmc2016-11-051-6/+6
|
* bump minors for symbol addition for ocsp and x25519 symbol additionsbeck2016-11-051-1/+1
|
* Add support for server side OCSP stapling to libtls.beck2016-11-057-12/+79
| | | | Add support for server side OCSP stapling to netcat.
* rename ocsp_ctx to ocspbeck2016-11-053-68/+68
| | | | ok jsing@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 10:27:20 +0000