#
5d632274 |
| 07-Aug-2024 |
icy17 <1061499390@qq.com> |
Add missing security rules about NULL check to various manpages Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas M
Add missing security rules about NULL check to various manpages Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25083)
show more ...
|
#
7ed6de99 |
| 05-Sep-2024 |
Tomas Mraz |
Copyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes
|
#
a73e07db |
| 18-May-2024 |
Ruslan Baratov |
[Docs] Default value for verification flags is 'SSL_VERIFY_NONE' Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com
[Docs] Default value for verification flags is 'SSL_VERIFY_NONE' Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24435)
show more ...
|
#
da1c088f |
| 07-Sep-2023 |
Matt Caswell |
Copyright year updates Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
|
#
d6e7ebba |
| 26-Jun-2023 |
Hugo Landau |
Minor fixes Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/op
Minor fixes Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20061)
show more ...
|
#
7163617f |
| 16-Jan-2023 |
Hugo Landau |
QUIC: Prohibit post-handshake auth Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged fro
QUIC: Prohibit post-handshake auth Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20061)
show more ...
|
#
fecb3aae |
| 03-May-2022 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
|
#
1aa1bba5 |
| 15-Mar-2022 |
Dr. David von Oheimb |
SSL_CTX_set_verify.pod: move a note further down where it fits better Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oh
SSL_CTX_set_verify.pod: move a note further down where it fits better Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/17887)
show more ...
|
#
dfb39f73 |
| 07-Mar-2022 |
Tomas Mraz |
Replace handling of negative verification result with SSL_set_retry_verify() Provide a different mechanism to indicate that the application wants to retry the verification. The negative
Replace handling of negative verification result with SSL_set_retry_verify() Provide a different mechanism to indicate that the application wants to retry the verification. The negative result of the callback function now indicates an error again. Instead the SSL_set_retry_verify() can be called from the callback to indicate that the handshake should be suspended. Fixes #17568 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17825)
show more ...
|
#
54b40531 |
| 29-Jul-2021 |
Matt Caswell |
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16176)
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13, openssl-3.0.0-alpha12, OpenSSL_1_1_1j |
|
#
4acda863 |
| 16-Feb-2021 |
Dr. David von Oheimb |
DOC: Clarify the role of EKUs including defaults for TLS client and server use Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14199)
|
Revision tags: openssl-3.0.0-alpha11, openssl-3.0.0-alpha10, OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8, openssl-3.0.0-alpha7, OpenSSL_1_1_1h, openssl-3.0.0-alpha6, openssl-3.0.0-alpha5, openssl-3.0.0-alpha4, openssl-3.0.0-alpha3, openssl-3.0.0-alpha2, openssl-3.0.0-alpha1, OpenSSL_1_1_1g, OpenSSL_1_1_1f, OpenSSL_1_1_1e, OpenSSL_1_0_2u, OpenSSL_1_0_2t, OpenSSL_1_1_0l, OpenSSL_1_1_1d |
|
#
e6716f2b |
| 02-Jul-2019 |
Tomas Mraz |
Clarify documentation of SSL_CTX_set_verify client side behavior Fixes #9259 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/92
Clarify documentation of SSL_CTX_set_verify client side behavior Fixes #9259 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9291)
show more ...
|
Revision tags: OpenSSL_1_1_1c, OpenSSL_1_1_0k, OpenSSL_1_0_2s, OpenSSL_1_0_2r, OpenSSL_1_1_1b |
|
#
4746f25a |
| 06-Dec-2018 |
Richard Levitte |
Following the license change, modify the boilerplates in doc/man3/ [skip ci] Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/78
Following the license change, modify the boilerplates in doc/man3/ [skip ci] Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7829)
show more ...
|
Revision tags: OpenSSL_1_0_2q, OpenSSL_1_1_0j, OpenSSL_1_1_1a, OpenSSL_1_1_1 |
|
#
77890553 |
| 06-Sep-2018 |
Matt Caswell |
Remove a reference to SSL_force_post_handshake_auth() That function was removed in favour of SSL_set_post_handshake_auth(). Update the docs accordingly. Reviewed-by: Tim Hudson
Remove a reference to SSL_force_post_handshake_auth() That function was removed in favour of SSL_set_post_handshake_auth(). Update the docs accordingly. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7139)
show more ...
|
Revision tags: OpenSSL_1_1_1-pre9, OpenSSL_1_0_2p, OpenSSL_1_1_0i |
|
#
e97be718 |
| 13-Aug-2018 |
Matt Caswell |
Add support for SSL_CTX_set_post_handshake_auth() We already have SSL_set_post_handshake_auth(). This just adds the SSL_CTX equivalent. Reviewed-by: Tim Hudson <tjh@openssl.org>
Add support for SSL_CTX_set_post_handshake_auth() We already have SSL_set_post_handshake_auth(). This just adds the SSL_CTX equivalent. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6938)
show more ...
|
#
32097b33 |
| 13-Aug-2018 |
Matt Caswell |
Change Post Handshake auth so that it is opt-in Having post handshake auth automatically switched on breaks some applications written for TLSv1.2. This changes things so that an explicit
Change Post Handshake auth so that it is opt-in Having post handshake auth automatically switched on breaks some applications written for TLSv1.2. This changes things so that an explicit function call is required for a client to indicate support for post-handshake auth. Fixes #6933. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6938)
show more ...
|
Revision tags: OpenSSL_1_1_1-pre8, OpenSSL_1_1_1-pre7, OpenSSL_1_1_1-pre6, OpenSSL_1_1_1-pre5, OpenSSL_1_1_1-pre4, OpenSSL_1_0_2o, OpenSSL_1_1_0h, OpenSSL_1_1_1-pre3, OpenSSL_1_1_1-pre2, OpenSSL_1_1_1-pre1 |
|
#
6738bf14 |
| 13-Feb-2018 |
Matt Caswell |
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
658e4879 |
| 31-Jan-2018 |
Todd Short |
Fix doc nits Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4964)
|
#
9d75dce3 |
| 18-Dec-2017 |
Todd Short |
Add TLSv1.3 post-handshake authentication (PHA) Add SSL_verify_client_post_handshake() for servers to initiate PHA Add SSL_force_post_handshake_auth() for clients that don't have ce
Add TLSv1.3 post-handshake authentication (PHA) Add SSL_verify_client_post_handshake() for servers to initiate PHA Add SSL_force_post_handshake_auth() for clients that don't have certificates initially configured, but use a certificate callback. Update SSL_CTX_set_verify()/SSL_set_verify() mode: * Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after the initial handshake. * Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless of when the certificate authentication takes place; either initial handshake, re-negotiation, or post-handshake authentication. Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options Add support to s_client: * Enabled automatically when cert is configured * Can be forced enabled via -force_pha Add support to s_server: * Use 'c' to invoke PHA in s_server * Remove some dead code Update documentation Update unit tests: * Illegal use of PHA extension * TLSv1.3 certificate tests DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is implemented, it's PHA support state machine may need to be different. Add a TODO and a #error Update handshake context to deal with PHA. The handshake context for TLSv1.3 post-handshake auth is up through the ClientFinish message, plus the CertificateRequest message. Subsequent Certificate, CertificateVerify, and Finish messages are based on this handshake context (not the Certificate message per se, but it's included after the hash). KeyUpdate, NewSessionTicket, and prior Certificate Request messages are not included in post-handshake authentication. After the ClientFinished message is processed, save off the digest state for future post-handshake authentication. When post-handshake auth occurs, copy over the saved handshake context into the "main" handshake digest. This effectively discards the any KeyUpdate or NewSessionTicket messages and any prior post-handshake authentication. This, of course, assumes that the ID-22 did not mean to include any previous post-handshake authentication into the new handshake transcript. This is implied by section 4.4.1 that lists messages only up to the first ClientFinished. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4964)
show more ...
|
Revision tags: OpenSSL_1_0_2n, OpenSSL_1_0_2m, OpenSSL_1_1_0g, OpenSSL_1_0_2l, OpenSSL_1_1_0f, OpenSSL-fips-2_0_16, OpenSSL_1_1_0e, OpenSSL_1_0_2k, OpenSSL_1_1_0d |
|
#
89a01e69 |
| 20-Jan-2017 |
Beat Bolli |
SSL_CTX_set_verify.pod: move a typedef in front of its first usage Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github
SSL_CTX_set_verify.pod: move a typedef in front of its first usage Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1956)
show more ...
|
Revision tags: OpenSSL-fips-2_0_15 |
|
#
2947af32 |
| 18-Nov-2016 |
Beat Bolli |
doc/man3: use the documented coding style in the example code Adjust brace placement, whitespace after keywords, indentation and empty lines after variable declarations according to
doc/man3: use the documented coding style in the example code Adjust brace placement, whitespace after keywords, indentation and empty lines after variable declarations according to https://www.openssl.org/policies/codingstyle.html. Indent literal sections by exactly one space. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1956)
show more ...
|
#
800b5dac |
| 05-Apr-2017 |
Thiago Arrais |
update docs because depth refers only to intermediate certs Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.c
update docs because depth refers only to intermediate certs Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3132)
show more ...
|
#
9e183d22 |
| 11-Mar-2017 |
Rich Salz |
Fix many doc L<> errors Add 2017 copyright year Add missing typedef to NAME Remove ec(7) and bn(7) doc links Remove .pod link errors, bogus links, make a few typo corrections
Fix many doc L<> errors Add 2017 copyright year Add missing typedef to NAME Remove ec(7) and bn(7) doc links Remove .pod link errors, bogus links, make a few typo corrections Fix some typo's in links and some missing items. Don't link to C runtime functions (See OPENSSL_malloc for example/precedent) Document ASN1_tag2str(), add a few typedef's that were missing from NAME Update doc-nits target; addresses https://github.com/openssl/openssl/pull/1900#issuecomment-259943891, Merge check-doc-links into find-doc-nits; if run regularly, would have found https://github.com/openssl/openssl/pull/2825 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2862)
show more ...
|
#
3adc41dd |
| 08-Jan-2017 |
Rich Salz |
Rename "verify_cb" to SSL_verify_cb Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2151)
|
#
121677b4 |
| 27-Dec-2016 |
Rich Salz |
Doc nits: callback function typedefs Enhance find-doc-nits to be better about finding typedefs for callback functions. Fix all nits it now finds. Added some new typedef names to ss
Doc nits: callback function typedefs Enhance find-doc-nits to be better about finding typedefs for callback functions. Fix all nits it now finds. Added some new typedef names to ssl.h some of which were documented but did not exist Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2151)
show more ...
|