|
Revision tags: OpenSSL_1_1_1f, OpenSSL_1_1_1e |
|
| #
433deaff |
| 25-Feb-2020 |
Rich Salz |
Use .cnf for config files, not .conf
The default is openssl.cnf The project seems to prefer xxx.conf these
days, but we should use the default convention.
Rename all foo.conf (
Use .cnf for config files, not .conf
The default is openssl.cnf The project seems to prefer xxx.conf these
days, but we should use the default convention.
Rename all foo.conf (except for Configurations) to foo.cnf
Fixes #11174
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11176)
show more ...
|
| #
a3f3ed65 |
| 14-Feb-2020 |
Richard Levitte |
TEST: Modify test/recipes/80-test_ssl_new.t to leave artifacts behind
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11080)
|
|
Revision tags: OpenSSL_1_0_2u, OpenSSL_1_0_2t, OpenSSL_1_1_0l, OpenSSL_1_1_1d |
|
| #
dbc6268f |
| 13-Jun-2019 |
Matt Caswell |
Allow TLSv1.3 in a no-ec build
Now that we have TLSv1.3 FFDHE support there is no reason why we should
not allow TLSv1.3 to be used in a no-ec build. This commit enables that
to happ
Allow TLSv1.3 in a no-ec build
Now that we have TLSv1.3 FFDHE support there is no reason why we should
not allow TLSv1.3 to be used in a no-ec build. This commit enables that
to happen.
It also fixes no-ec which was previously broken.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9156)
show more ...
|
|
Revision tags: OpenSSL_1_1_1c, OpenSSL_1_1_0k, OpenSSL_1_0_2s, OpenSSL_1_0_2r, OpenSSL_1_1_1b, OpenSSL_1_0_2q, OpenSSL_1_1_0j, OpenSSL_1_1_1a, OpenSSL_1_1_1, OpenSSL_1_1_1-pre9, OpenSSL_1_0_2p, OpenSSL_1_1_0i, OpenSSL_1_1_1-pre8, OpenSSL_1_1_1-pre7, OpenSSL_1_1_1-pre6, OpenSSL_1_1_1-pre5, OpenSSL_1_1_1-pre4, OpenSSL_1_0_2o, OpenSSL_1_1_0h, OpenSSL_1_1_1-pre3, OpenSSL_1_1_1-pre2, OpenSSL_1_1_1-pre1, OpenSSL_1_0_2n, OpenSSL_1_0_2m, OpenSSL_1_1_0g |
|
| #
088dfa13 |
| 10-Jul-2017 |
Todd Short |
Add option to disable Extended Master Secret
Add SSL_OP64_NO_EXTENDED_MASTER_SECRET, that can be set on either
an SSL or an SSL_CTX. When processing a ClientHello, if this flag
is se
Add option to disable Extended Master Secret
Add SSL_OP64_NO_EXTENDED_MASTER_SECRET, that can be set on either
an SSL or an SSL_CTX. When processing a ClientHello, if this flag
is set, do not indicate that the EMS TLS extension was received in
either the ssl3 object or the SSL_SESSION. Retain most of the
sanity checks between the previous and current session during
session resumption, but weaken the check when the current SSL
object is configured to not use EMS.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3910)
show more ...
|
| #
09d62b33 |
| 26-Dec-2018 |
Michael Tuexen |
Fix end-point shared secret for DTLS/SCTP
When computing the end-point shared secret, don't take the
terminating NULL character into account.
Please note that this fix breaks interop
Fix end-point shared secret for DTLS/SCTP
When computing the end-point shared secret, don't take the
terminating NULL character into account.
Please note that this fix breaks interoperability with older
versions of OpenSSL, which are not fixed.
Fixes #7956
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7957)
show more ...
|
| #
909f1a2e |
| 06-Dec-2018 |
Richard Levitte |
Following the license change, modify the boilerplates in test/
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7767)
|
| #
65d2c16c |
| 12-Nov-2018 |
Matt Caswell |
Fix no-ec and no-tls1_2
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7620)
|
| #
75b68c9e |
| 12-Oct-2018 |
Tomas Mraz |
Unbreak SECLEVEL 3 regression causing it to not accept any ciphers.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #7391
|
| #
35a164ea |
| 14-Mar-2018 |
Matt Caswell |
Fix no-ec
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5618)
|
|
Revision tags: OpenSSL_1_0_2l, OpenSSL_1_1_0f, OpenSSL-fips-2_0_16 |
|
| #
df0fed9a |
| 15-Mar-2017 |
Todd Short |
Session Ticket app data
Adds application data into the encrypted session ticket
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(M
Session Ticket app data
Adds application data into the encrypted session ticket
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3802)
show more ...
|
| #
6738bf14 |
| 13-Feb-2018 |
Matt Caswell |
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
| #
c423ecaa |
| 09-Feb-2018 |
Matt Caswell |
Fixes for no-tls1_2 and no-tls1_2-method
The no-tls1_2 option does not work properly in conjunction with TLSv1.3
being enabled (which is now the default). This commit fixes the issues.
Fixes for no-tls1_2 and no-tls1_2-method
The no-tls1_2 option does not work properly in conjunction with TLSv1.3
being enabled (which is now the default). This commit fixes the issues.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5301)
show more ...
|
| #
f518cef4 |
| 06-Feb-2018 |
Matt Caswell |
Enable TLSv1.3 by default
[extended tests]
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5266)
|
| #
9d75dce3 |
| 18-Dec-2017 |
Todd Short |
Add TLSv1.3 post-handshake authentication (PHA)
Add SSL_verify_client_post_handshake() for servers to initiate PHA
Add SSL_force_post_handshake_auth() for clients that don't have ce
Add TLSv1.3 post-handshake authentication (PHA)
Add SSL_verify_client_post_handshake() for servers to initiate PHA
Add SSL_force_post_handshake_auth() for clients that don't have certificates
initially configured, but use a certificate callback.
Update SSL_CTX_set_verify()/SSL_set_verify() mode:
* Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after
the initial handshake.
* Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless
of when the certificate authentication takes place; either initial handshake,
re-negotiation, or post-handshake authentication.
Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that
add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options
Add support to s_client:
* Enabled automatically when cert is configured
* Can be forced enabled via -force_pha
Add support to s_server:
* Use 'c' to invoke PHA in s_server
* Remove some dead code
Update documentation
Update unit tests:
* Illegal use of PHA extension
* TLSv1.3 certificate tests
DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is
implemented, it's PHA support state machine may need to be different.
Add a TODO and a #error
Update handshake context to deal with PHA.
The handshake context for TLSv1.3 post-handshake auth is up through the
ClientFinish message, plus the CertificateRequest message. Subsequent
Certificate, CertificateVerify, and Finish messages are based on this
handshake context (not the Certificate message per se, but it's included
after the hash). KeyUpdate, NewSessionTicket, and prior Certificate
Request messages are not included in post-handshake authentication.
After the ClientFinished message is processed, save off the digest state
for future post-handshake authentication. When post-handshake auth occurs,
copy over the saved handshake context into the "main" handshake digest.
This effectively discards the any KeyUpdate or NewSessionTicket messages
and any prior post-handshake authentication.
This, of course, assumes that the ID-22 did not mean to include any
previous post-handshake authentication into the new handshake transcript.
This is implied by section 4.4.1 that lists messages only up to the
first ClientFinished.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4964)
show more ...
|
| #
a8ea8018 |
| 10-Dec-2017 |
Matt Caswell |
Fix no-chacha
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4891)
|
| #
ef178b4e |
| 10-Dec-2017 |
Matt Caswell |
Don't expect a POLY1305 ciphersuite when using no-poly1305
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4891)
|
| #
f5fea665 |
| 10-Dec-2017 |
Matt Caswell |
Fix ssl_test_new with no-tls1_2
The tests in 25-cipher.conf all use TLSv1.2 ciphersuites so we shouldn't
run it if we don't have TLSv1.2
Reviewed-by: Richard Levitte <levitte@op
Fix ssl_test_new with no-tls1_2
The tests in 25-cipher.conf all use TLSv1.2 ciphersuites so we shouldn't
run it if we don't have TLSv1.2
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4889)
show more ...
|
| #
8a8bc665 |
| 07-Dec-2017 |
Benjamin Kaduk |
Fix no-ec
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4874)
|
|
Revision tags: OpenSSL_1_1_0e, OpenSSL_1_0_2k, OpenSSL_1_1_0d, OpenSSL-fips-2_0_15, OpenSSL-fips-2_0_14, OpenSSL_1_1_0c, OpenSSL_1_0_2j, OpenSSL_1_1_0b, OpenSSL_1_0_1u, OpenSSL_1_0_2i, OpenSSL_1_1_0a, OpenSSL_1_1_0, OpenSSL_1_1_0-pre6, OpenSSL-fips-2_0_13, OpenSSL_1_0_1t, OpenSSL_1_0_2h, OpenSSL_1_1_0-pre5, OpenSSL_1_1_0-pre4, OpenSSL_1_0_1s, OpenSSL_1_0_2g, OpenSSL_1_1_0-pre3, OpenSSL-fips-2_0_12, OpenSSL_1_0_1r, OpenSSL_1_0_2f, OpenSSL_1_1_0-pre2 |
|
| #
e1c7871d |
| 21-Dec-2015 |
Todd Short |
Use ChaCha only if prioritized by clnt
IFF the client has ChaCha first, and server cipher priority is used,
and the new SSL_OP_PRIORITIZE_CHACHA_FOR_MOBILE option is used,
then repri
Use ChaCha only if prioritized by clnt
IFF the client has ChaCha first, and server cipher priority is used,
and the new SSL_OP_PRIORITIZE_CHACHA_FOR_MOBILE option is used,
then reprioritize ChaCha above everything else. This way, A matching
ChaCha cipher will be selected if there is a match. If no ChaCha ciphers
match, then the other ciphers are used.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4436)
show more ...
|
| #
cf72c757 |
| 05-Nov-2017 |
FdaSilvaYY |
Implement Maximum Fragment Length TLS extension.
Based on patch from Tomasz Moń:
https://groups.google.com/forum/#!topic/mailing.openssl.dev/fQxXvCg1uQY
Reviewed-by: Matt Caswel
Implement Maximum Fragment Length TLS extension.
Based on patch from Tomasz Moń:
https://groups.google.com/forum/#!topic/mailing.openssl.dev/fQxXvCg1uQY
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/1008)
show more ...
|
| #
8d2214c0 |
| 01-Aug-2017 |
Richard Levitte |
File::Glob option ':bsd_glob' doesn't work everywhere, replace w/ a wrapper
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4069)
|
| #
cb6afcd6 |
| 01-Aug-2017 |
Richard Levitte |
Consolidate the locations where we have our internal perl modules
Instead of having perl modules under test/testlib, util and util/perl,
consolidate them all to be inside util/perl.
Consolidate the locations where we have our internal perl modules
Instead of having perl modules under test/testlib, util and util/perl,
consolidate them all to be inside util/perl.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4069)
show more ...
|
| #
102c9e12 |
| 28-Jul-2017 |
Richard Levitte |
Perl: Use File::Glob::bsd_glob rather than File::Glob::glob
File::Glob::glob is deprecated, it's use generates this kind of
message:
File::Glob::glob() will disappear in per
Perl: Use File::Glob::bsd_glob rather than File::Glob::glob
File::Glob::glob is deprecated, it's use generates this kind of
message:
File::Glob::glob() will disappear in perl 5.30. Use File::Glob::bsd_glob() instead. at ../master/Configure line 277.
So instead, use a construction that makes the caller glob() use
File::Glob::bsd_glob().
Note that we're still excluding VMS, as it's directory specs use '['
and ']', which have a different meaning with bsd_glob and would need
some extra quoting. This might change, but later.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4040)
show more ...
|
| #
c649d10d |
| 05-Apr-2017 |
Todd Short |
TLS1.3 Padding
Add padding callback for application control
Standard block_size callback
Documentation and tests included
Configuration file/s_client/s_srver option
Revi
TLS1.3 Padding
Add padding callback for application control
Standard block_size callback
Documentation and tests included
Configuration file/s_client/s_srver option
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3130)
show more ...
|
| #
0f5df0f1 |
| 24-Apr-2017 |
Matt Caswell |
Add SCTP testing for 04-client_auth.conf
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3286)
|
