summaryrefslogtreecommitdiff
path: root/src/usr.bin (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* * ptr -> *ptrtb2020-11-031-5/+5
|
* X509_verify_cert()'s return value is not reliable if the callbacktb2020-11-031-20/+22
| | | | | | | | | | | | | returns 1. verify.c's cb() ignores a bunch of things to display as much info as possible. Thus, check the error code on the store ctx as well, similar to OpenSSL commit d9e309a6 (old licence). This makes openssl verify error on expired certs, at least with the legacy verify code. While here, fix a number of style issues, simplify and plug a leak. ok inoguchi
* some comma fixes; from varik valeforjmc2020-11-011-12/+12
| | | | (audio.4 tweaked from that submitted)
* Add a -legacy_verify flag to force use of the old validator for debuggingtb2020-10-263-4/+13
| | | | | | and testing purposes. ok beck inoguchi jsing
* no need to initialize i if it's re-initialized a few lines downtb2020-10-141-2/+1
|
* Free peekaboo pbuf at end of s_client_main()tb2020-10-141-1/+2
| | | | | | | Otherwise each run of the s_client leaks 16k of memory. This hurts in interactive mode. ok inoguchi jsing
* Make sure an OCSP query sends a host headertb2020-10-131-4/+13
| | | | | | | | | | | While OCSP uses HTTP/1.0 where a host header is optional, some widely used OCSP responders will return 400 bad request if it is missing. Add such a header unless it's already provided in the user's custom headers. OpenSSL did something similar in ff4a9394a23 and 76e0cd12f68 (both commits are under the old license) ok inoguchi
* set SO_REUSEADDR on the server socket when we play oscp server.beck2020-10-081-1/+2
| | | | ok inoguchi@ tb@ deraadt@
* Add -[46] nops for compatibility with the OpenSSL s_servertb2020-10-021-1/+9
| | | | | | | | | | | | | | | On OpenBSD it's necessary to use the eopenssl11 s_server with either -4 or -6 to choose an address family. I often want to try something with an OpenSSL server and then test the same thing with LibreSSL or vice versa. Adding and removing -4s on top of editing the command is annoying and distracting. This commits teaches our s_server to ignore -4 and -6 and thus makes commands that work with eopenssl11 more likely to work with openssl(1). These options are deliberately undocumented and don't show up in help listings. ok bcook inoguchi jsing
* Wrap long lines, add space in front of goto label in openssl(1) ocsp.cinoguchi2020-09-091-93/+118
|
* Change SSLv23_client_method to TLS_client_method openssl(1) ocspinoguchi2020-09-091-2/+2
|
* Remove space between pointer '*' and variable name in ocsp.cinoguchi2020-09-091-39/+39
|
* Convert openssl(1) ocsp option handlinginoguchi2020-09-091-443/+725
| | | | input and ok tb@
* Add option type OPTION_UL_VALUE_ORinoguchi2020-09-092-2/+9
| | | | ok tb@
* Convert openssl req option handling.jsing2020-08-091-378/+572
| | | | | | With input from inoguchi@ ok beck@ inoguchi@
* Wrap long lines s_server.cinoguchi2020-07-271-67/+130
|
* Add function prototype and move sub functions to bottominoguchi2020-07-271-198/+197
|
* Remove space between '*' and pointer variable in s_server.cinoguchi2020-07-271-12/+12
|
* Remove 's_' prefix from member of s_server_config structinoguchi2020-07-271-110/+110
|
* Convert openssl(1) s_server option handlinginoguchi2020-07-271-568/+929
| | | | ok and comments from jsing@
* Convert option handling for openssl(1) verify.jsing2020-07-141-88/+220
| | | | ok inoguchi@, tb@
* Remove hypheninoguchi2020-07-141-3/+3
|
* Add single space between pem and ...inoguchi2020-07-141-2/+2
|
* Add manual for openssl(1) certhashinoguchi2020-07-141-2/+57
| | | | ok jmc@
* Clean up s_client.cinoguchi2020-07-101-26/+27
| | | | | | | - Remove space between '*' and pointer variable. - Add function prototype. - Move callback function to bottom. - Move typedef struct to up.
* Change variable bio_c_out from global to localinoguchi2020-07-101-15/+11
| | | | ok tb@
* Wrap long lines and put space in front of label in s_client.cinoguchi2020-07-091-46/+80
|
* Remove c_ prefix from s_client_config memberinoguchi2020-07-091-33/+33
|
* Convert openssl(1) s_client option handlinginoguchi2020-07-091-450/+770
| | | | suggestions and ok beck@ jsing@ tb@
* While the second SSL_CTX in this code is only used on servernametb2020-05-231-1/+2
| | | | | | | | callback, so its mode is not used to update the ssl's mode, it seems more appropriate to clear the SSL_MODE_AUTO_RETRY flag on it as well. ok jsing
* In ssl_lib.c revision 1.217, jsing enabled SSL_MODE_AUTO_RETRY bytb2020-05-232-2/+7
| | | | | | | default. To avoid hanging on a blocking read, we need to clear the SSL_MODE_AUTO_RETRY flag in the s_client and the s_server. ok beck inoguchi jsing
* Avoid an out-of-bounds array access in the s_server.tb2020-05-231-1/+3
| | | | | | | | | It can be triggered by sending a line to stdin while no connection is open and then connecting a client. The first SSL_write() fails, sends SSL_ERROR_WANT_* and then causes a segfault deep down in the tls stack when accessing &(buf[-1]). ok beck inoguchi
* sockaddr should be sockaddr_storage, otherwise "openssl s_client -6 -dtls1"deraadt2020-05-221-3/+4
| | | | | | (gurn) copies getsockname() retrieves a truncated result and 14 bytes of stack garbage get copied onwards. ok tb
* Add description for -tls1_3 and -no_tls1_3 options to openssl(1) s_serverinoguchi2020-05-131-6/+8
| | | | ok jsing@ tb@
* Add -tls1_3 and -no_tls1_3 options to openssl(1) s_serverinoguchi2020-05-131-6/+28
| | | | | | | - Add -tls1_3 and -no_tls1_3 to openssl(1) s_server - Stop using version pinned methods, instead setting the min and max protocol versions ok jsing@ tb@
* Make openssl X509 handle the failure case return code from X509_time_cmp.beck2020-05-101-5/+16
| | | | | | While we are in here also make it notice if time values in a certificate are bogus, and say so in the output. ok bcook@ jsing@
* Conditionalize sleep-before-retry in server code to only be done whenbeck2020-05-101-3/+5
| | | | | | | debug is on. otherwise, just retry. Fixes problems this creates in testing. ok jsing@ tb@
* Display TLSv1.3 extension type with openssl(1) -tlsextdebuginoguchi2020-04-261-7/+49
| | | | | | | | Add TLSv1.3 extension type, and sort by the definition order in tls1.h. This helps that openssl(1) s_server and s_client with -tlsextdebug displays the TLS extension type instead of "unknown". ok beck@ jsing@ tb@
* s_client: fix use of possibly uninitialized valuesinoguchi2020-04-261-2/+2
| | | | | | | | | | Set initial value to variable 'p' and 'pending'. Reported and fix requested from leonklingele by GitHub pull request. https://github.com/libressl-portable/portable/issues/577 https://github.com/libressl-portable/openbsd/pull/114 ok bcook@ jsing@ tb@
* In s_server.c rev. 1.33, jsing added support for "openssl s_server -groups";schwarze2020-04-251-6/+18
| | | | | | | | document it and deprecate "openssl s_server -named_curve". While here, fix the error in the synopsis for "openssl s_client -groups" and use unified argument naming and similar wording like in SSL_CTX_set1_groups_list(3). OK jsing@
* Add -groups option to openssl(1) s_server.jsing2020-04-192-35/+31
| | | | | | | | | | This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead. ok beck@ inoguchi@
* Tag subcommand sectionskn2020-02-191-2/+44
| | | | | | | | | Allow semantic lookup by manually tagging sections (.Sh) for which no automatic tagging has been implemented; this thereby also eliminates false positives such that ":tx509<Enter>" now jumps to the X509 section. feedback remi inoguchi schwarze OK tb
* Add -tls1_3 and -notls1_3 options to openssl(1) s_client.jsing2020-02-162-23/+37
| | | | | | | | | Also stop using version pinned methods, instead setting the min and max protocol versions. Requested by inoguchi@ ok inoguchi@ tb@
* Standardize argument naming for "sourceaddr" and unify the wording a bit,schwarze2020-02-122-10/+9
| | | | similar to what deraadt@ recently did in other manual pages.
* revert previous nc loop refactor from 1.211, breaks bluhm's stuffbeck2020-01-261-64/+36
| | | | will attempt again later, now that there is new regress
* add a couple of XXX for future cleanuptb2020-01-251-1/+4
|
* Teach openssl s_client a bit about TLSv1.3.tb2020-01-241-2/+17
| | | | ok beck jsing
* Make -peekaboo mode also use SSL_pending after peeking, to ensurebeck2020-01-231-2/+9
| | | | | | SSL_pending implementation is correct. annoying jsing@
* Simplify the peekaboo code.jsing2020-01-221-35/+6
| | | | ok beck@
* Add -peekaboo option to s_client, to test SSL_peekbeck2020-01-221-4/+66
| | | | | | peeks data before reading, compares to subsequent read. ok jsing@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 14:54:24 +0000