| #
5d632274 |
| 07-Aug-2024 |
icy17 <1061499390@qq.com> |
Add missing security rules about NULL check to various manpages
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas M
Add missing security rules about NULL check to various manpages
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25083)
show more ...
|
| #
7ed6de99 |
| 05-Sep-2024 |
Tomas Mraz |
Copyright year updates
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
|
| #
a73e07db |
| 18-May-2024 |
Ruslan Baratov |
[Docs] Default value for verification flags is 'SSL_VERIFY_NONE'
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com
[Docs] Default value for verification flags is 'SSL_VERIFY_NONE'
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24435)
show more ...
|
| #
da1c088f |
| 07-Sep-2023 |
Matt Caswell |
Copyright year updates
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
|
| #
d6e7ebba |
| 26-Jun-2023 |
Hugo Landau |
Minor fixes
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/op
Minor fixes
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
show more ...
|
| #
7163617f |
| 16-Jan-2023 |
Hugo Landau |
QUIC: Prohibit post-handshake auth
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged fro
QUIC: Prohibit post-handshake auth
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
show more ...
|
| #
fecb3aae |
| 03-May-2022 |
Matt Caswell |
Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
|
| #
1aa1bba5 |
| 15-Mar-2022 |
Dr. David von Oheimb |
SSL_CTX_set_verify.pod: move a note further down where it fits better
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oh
SSL_CTX_set_verify.pod: move a note further down where it fits better
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/17887)
show more ...
|
| #
dfb39f73 |
| 07-Mar-2022 |
Tomas Mraz |
Replace handling of negative verification result with SSL_set_retry_verify()
Provide a different mechanism to indicate that the application wants
to retry the verification. The negative
Replace handling of negative verification result with SSL_set_retry_verify()
Provide a different mechanism to indicate that the application wants
to retry the verification. The negative result of the callback function
now indicates an error again.
Instead the SSL_set_retry_verify() can be called from the callback
to indicate that the handshake should be suspended.
Fixes #17568
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17825)
show more ...
|
| #
54b40531 |
| 29-Jul-2021 |
Matt Caswell |
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16176)
|
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13, openssl-3.0.0-alpha12, OpenSSL_1_1_1j |
|
| #
4acda863 |
| 16-Feb-2021 |
Dr. David von Oheimb |
DOC: Clarify the role of EKUs including defaults for TLS client and server use
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14199)
|
|
Revision tags: openssl-3.0.0-alpha11, openssl-3.0.0-alpha10, OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8, openssl-3.0.0-alpha7, OpenSSL_1_1_1h, openssl-3.0.0-alpha6, openssl-3.0.0-alpha5, openssl-3.0.0-alpha4, openssl-3.0.0-alpha3, openssl-3.0.0-alpha2, openssl-3.0.0-alpha1, OpenSSL_1_1_1g, OpenSSL_1_1_1f, OpenSSL_1_1_1e, OpenSSL_1_0_2u, OpenSSL_1_0_2t, OpenSSL_1_1_0l, OpenSSL_1_1_1d |
|
| #
e6716f2b |
| 02-Jul-2019 |
Tomas Mraz |
Clarify documentation of SSL_CTX_set_verify client side behavior
Fixes #9259
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/92
Clarify documentation of SSL_CTX_set_verify client side behavior
Fixes #9259
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9291)
show more ...
|
|
Revision tags: OpenSSL_1_1_1c, OpenSSL_1_1_0k, OpenSSL_1_0_2s, OpenSSL_1_0_2r, OpenSSL_1_1_1b |
|
| #
4746f25a |
| 06-Dec-2018 |
Richard Levitte |
Following the license change, modify the boilerplates in doc/man3/
[skip ci]
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/78
Following the license change, modify the boilerplates in doc/man3/
[skip ci]
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7829)
show more ...
|
|
Revision tags: OpenSSL_1_0_2q, OpenSSL_1_1_0j, OpenSSL_1_1_1a, OpenSSL_1_1_1 |
|
| #
77890553 |
| 06-Sep-2018 |
Matt Caswell |
Remove a reference to SSL_force_post_handshake_auth()
That function was removed in favour of SSL_set_post_handshake_auth().
Update the docs accordingly.
Reviewed-by: Tim Hudson
Remove a reference to SSL_force_post_handshake_auth()
That function was removed in favour of SSL_set_post_handshake_auth().
Update the docs accordingly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7139)
show more ...
|
|
Revision tags: OpenSSL_1_1_1-pre9, OpenSSL_1_0_2p, OpenSSL_1_1_0i |
|
| #
e97be718 |
| 13-Aug-2018 |
Matt Caswell |
Add support for SSL_CTX_set_post_handshake_auth()
We already have SSL_set_post_handshake_auth(). This just adds the SSL_CTX
equivalent.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Add support for SSL_CTX_set_post_handshake_auth()
We already have SSL_set_post_handshake_auth(). This just adds the SSL_CTX
equivalent.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6938)
show more ...
|
| #
32097b33 |
| 13-Aug-2018 |
Matt Caswell |
Change Post Handshake auth so that it is opt-in
Having post handshake auth automatically switched on breaks some
applications written for TLSv1.2. This changes things so that an explicit
Change Post Handshake auth so that it is opt-in
Having post handshake auth automatically switched on breaks some
applications written for TLSv1.2. This changes things so that an explicit
function call is required for a client to indicate support for
post-handshake auth.
Fixes #6933.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6938)
show more ...
|
|
Revision tags: OpenSSL_1_1_1-pre8, OpenSSL_1_1_1-pre7, OpenSSL_1_1_1-pre6, OpenSSL_1_1_1-pre5, OpenSSL_1_1_1-pre4, OpenSSL_1_0_2o, OpenSSL_1_1_0h, OpenSSL_1_1_1-pre3, OpenSSL_1_1_1-pre2, OpenSSL_1_1_1-pre1 |
|
| #
6738bf14 |
| 13-Feb-2018 |
Matt Caswell |
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
| #
658e4879 |
| 31-Jan-2018 |
Todd Short |
Fix doc nits
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4964)
|
| #
9d75dce3 |
| 18-Dec-2017 |
Todd Short |
Add TLSv1.3 post-handshake authentication (PHA)
Add SSL_verify_client_post_handshake() for servers to initiate PHA
Add SSL_force_post_handshake_auth() for clients that don't have ce
Add TLSv1.3 post-handshake authentication (PHA)
Add SSL_verify_client_post_handshake() for servers to initiate PHA
Add SSL_force_post_handshake_auth() for clients that don't have certificates
initially configured, but use a certificate callback.
Update SSL_CTX_set_verify()/SSL_set_verify() mode:
* Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after
the initial handshake.
* Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless
of when the certificate authentication takes place; either initial handshake,
re-negotiation, or post-handshake authentication.
Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that
add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options
Add support to s_client:
* Enabled automatically when cert is configured
* Can be forced enabled via -force_pha
Add support to s_server:
* Use 'c' to invoke PHA in s_server
* Remove some dead code
Update documentation
Update unit tests:
* Illegal use of PHA extension
* TLSv1.3 certificate tests
DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is
implemented, it's PHA support state machine may need to be different.
Add a TODO and a #error
Update handshake context to deal with PHA.
The handshake context for TLSv1.3 post-handshake auth is up through the
ClientFinish message, plus the CertificateRequest message. Subsequent
Certificate, CertificateVerify, and Finish messages are based on this
handshake context (not the Certificate message per se, but it's included
after the hash). KeyUpdate, NewSessionTicket, and prior Certificate
Request messages are not included in post-handshake authentication.
After the ClientFinished message is processed, save off the digest state
for future post-handshake authentication. When post-handshake auth occurs,
copy over the saved handshake context into the "main" handshake digest.
This effectively discards the any KeyUpdate or NewSessionTicket messages
and any prior post-handshake authentication.
This, of course, assumes that the ID-22 did not mean to include any
previous post-handshake authentication into the new handshake transcript.
This is implied by section 4.4.1 that lists messages only up to the
first ClientFinished.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4964)
show more ...
|
|
Revision tags: OpenSSL_1_0_2n, OpenSSL_1_0_2m, OpenSSL_1_1_0g, OpenSSL_1_0_2l, OpenSSL_1_1_0f, OpenSSL-fips-2_0_16, OpenSSL_1_1_0e, OpenSSL_1_0_2k, OpenSSL_1_1_0d |
|
| #
89a01e69 |
| 20-Jan-2017 |
Beat Bolli |
SSL_CTX_set_verify.pod: move a typedef in front of its first usage
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github
SSL_CTX_set_verify.pod: move a typedef in front of its first usage
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1956)
show more ...
|
|
Revision tags: OpenSSL-fips-2_0_15 |
|
| #
2947af32 |
| 18-Nov-2016 |
Beat Bolli |
doc/man3: use the documented coding style in the example code
Adjust brace placement, whitespace after keywords, indentation and empty
lines after variable declarations according to
doc/man3: use the documented coding style in the example code
Adjust brace placement, whitespace after keywords, indentation and empty
lines after variable declarations according to
https://www.openssl.org/policies/codingstyle.html.
Indent literal sections by exactly one space.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1956)
show more ...
|
| #
800b5dac |
| 05-Apr-2017 |
Thiago Arrais |
update docs because depth refers only to intermediate certs
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.c
update docs because depth refers only to intermediate certs
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3132)
show more ...
|
| #
9e183d22 |
| 11-Mar-2017 |
Rich Salz |
Fix many doc L<> errors
Add 2017 copyright year
Add missing typedef to NAME
Remove ec(7) and bn(7) doc links
Remove .pod link errors, bogus links, make a few typo corrections
Fix many doc L<> errors
Add 2017 copyright year
Add missing typedef to NAME
Remove ec(7) and bn(7) doc links
Remove .pod link errors, bogus links, make a few typo corrections
Fix some typo's in links and some missing items.
Don't link to C runtime functions (See OPENSSL_malloc for example/precedent)
Document ASN1_tag2str(), add a few typedef's that were missing from NAME
Update doc-nits target; addresses
https://github.com/openssl/openssl/pull/1900#issuecomment-259943891,
Merge check-doc-links into find-doc-nits; if run regularly, would have found
https://github.com/openssl/openssl/pull/2825
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2862)
show more ...
|
| #
3adc41dd |
| 08-Jan-2017 |
Rich Salz |
Rename "verify_cb" to SSL_verify_cb
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2151)
|
| #
121677b4 |
| 27-Dec-2016 |
Rich Salz |
Doc nits: callback function typedefs
Enhance find-doc-nits to be better about finding typedefs for
callback functions. Fix all nits it now finds. Added some new
typedef names to ss
Doc nits: callback function typedefs
Enhance find-doc-nits to be better about finding typedefs for
callback functions. Fix all nits it now finds. Added some new
typedef names to ssl.h some of which were documented but did not
exist
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2151)
show more ...
|
