#
9277ed0a |
| 20-Dec-2023 |
Neil Horman |
Fix remaining provider config settings to be decisive in value There is one remaining config setting for providers, soft_load, which is enabled when provided in a config, regardless of i
Fix remaining provider config settings to be decisive in value There is one remaining config setting for providers, soft_load, which is enabled when provided in a config, regardless of its value. Augment it to require a decisive value 1/0, yes/no, on/off, true/false, as we've recently done for the activate setting. Also, since it wasn't previously documented, add docs for it. Fixes #23105 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23111)
show more ...
|
#
506ff206 |
| 01-Dec-2023 |
Neil Horman |
Make the activate setting more intuitive Currently, a provider is activated from our config file using the activate parameter. However, the presence of the config parameter is suffi
Make the activate setting more intuitive Currently, a provider is activated from our config file using the activate parameter. However, the presence of the config parameter is sufficient to trigger activation, leading to a counterintuitive situation in which setting "activate = 0" still activates the provider Make activation more intuitive by requiring that activate be set to one of yes|true|1 to trigger activation. Any other value, as well as omitting the parameter entirely, prevents activation (and also maintains backward compatibility. It seems a bit heavyweight to create a test specifically to validate the plurality of these settings. Instead, modify the exiting openssl config files in the test directory to use variants of these settings, and augment the default.cnf file to include a provider section that is explicitly disabled Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22906)
show more ...
|
#
da1c088f |
| 07-Sep-2023 |
Matt Caswell |
Copyright year updates Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
|
#
d54e91d3 |
| 16-Feb-2023 |
Jeeban Sethi |
openssl-3.0#20290: Fixed typo in "config" man page CLA: trivial Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: P
openssl-3.0#20290: Fixed typo in "config" man page CLA: trivial Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20311) (cherry picked from commit 3da073c405e2d2000188571c23f3a79cf67a6e9d)
show more ...
|
#
fecb3aae |
| 03-May-2022 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
|
#
e304aa87 |
| 02-Jan-2022 |
Dimitris Apostolou |
Fix typos Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17392)
|
#
a5f4099d |
| 10-Aug-2021 |
Dmitry Belyavskiy |
Disclaimer about the default provider activation added to config Fixes #16249 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merge
Disclaimer about the default provider activation added to config Fixes #16249 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16280)
show more ...
|
#
5540855b |
| 29-Jul-2021 |
Pauli |
doc: document that config_diagnostics is sensible but involves risk Also: - add this option to the sample configurations in the documentation. - note that it is a sensible choic
doc: document that config_diagnostics is sensible but involves risk Also: - add this option to the sample configurations in the documentation. - note that it is a sensible choice when using FIPS via config Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16172)
show more ...
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16 |
|
#
f7050588 |
| 30-Apr-2021 |
Rich Salz |
Add .includedir pragma Also add a negative test, and fix typo's. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from
Add .includedir pragma Also add a negative test, and fix typo's. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15090)
show more ...
|
#
3fb985fd |
| 29-Apr-2021 |
Rich Salz |
Allow absolute paths to be set It was a mistake to allow relative paths for include files (just like root shouldn't have "." in its PATH), but we probably can't change it now. Add a
Allow absolute paths to be set It was a mistake to allow relative paths for include files (just like root shouldn't have "." in its PATH), but we probably can't change it now. Add a new pragma "abspath" that someone can put in the system-wide config file to require absolute paths. Also update the config documentation to better explain how file inclusion works. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15090)
show more ...
|
Revision tags: openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13, openssl-3.0.0-alpha12, OpenSSL_1_1_1j, openssl-3.0.0-alpha11 |
|
#
4333b89f |
| 28-Jan-2021 |
Richard Levitte |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13999)
|
Revision tags: openssl-3.0.0-alpha10 |
|
#
15795943 |
| 10-Dec-2020 |
Dr. David von Oheimb |
APPS: Allow OPENSSL_CONF to be empty, not loading a config file Also document the function CONF_get1_default_config_file() Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Mer
APPS: Allow OPENSSL_CONF to be empty, not loading a config file Also document the function CONF_get1_default_config_file() Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13658)
show more ...
|
Revision tags: OpenSSL_1_1_1i, openssl-3.0.0-alpha9 |
|
#
81aef6ba |
| 19-Nov-2020 |
Pauli |
rand: add a provider side seed source. This allows the operating system sources that OpenSSL supports to be used directly as RNGs. It also allows DRBG seeding to be explicitly speci
rand: add a provider side seed source. This allows the operating system sources that OpenSSL supports to be used directly as RNGs. It also allows DRBG seeding to be explicitly specified rather than being left to a fall back case. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13455)
show more ...
|
Revision tags: openssl-3.0.0-alpha8, openssl-3.0.0-alpha7, OpenSSL_1_1_1h |
|
#
44d2482b |
| 21-Sep-2020 |
Pauli |
Add a "random" configuration section. This permits the default trio of DRBGs to have their type and parameters set using configuration. Reviewed-by: Matt Caswell <matt@openssl.o
Add a "random" configuration section. This permits the default trio of DRBGs to have their type and parameters set using configuration. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12931)
show more ...
|
#
33855c0a |
| 26-Aug-2020 |
Pauli |
conf: add diagnostic option Add an option to configuration files "config_diagnostics" that when set to a non-zero value, overrides the error ignoring flags. The outcome is that diag
conf: add diagnostic option Add an option to configuration files "config_diagnostics" that when set to a non-zero value, overrides the error ignoring flags. The outcome is that diagnostic option is produced when e.g. sections are missing. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12663)
show more ...
|
Revision tags: openssl-3.0.0-alpha6 |
|
#
77174598 |
| 17-Jul-2020 |
Viktor Dukhovni |
Avoid errors with a priori inapplicable protocol bounds The 'MinProtocol' and 'MaxProtocol' configuration commands now silently ignore TLS protocol version bounds when configurign DTLS-b
Avoid errors with a priori inapplicable protocol bounds The 'MinProtocol' and 'MaxProtocol' configuration commands now silently ignore TLS protocol version bounds when configurign DTLS-based contexts, and conversely, silently ignore DTLS protocol version bounds when configuring TLS-based contexts. The commands can be repeated to set bounds of both types. The same applies with the corresponding "min_protocol" and "max_protocol" command-line switches, in case some application uses both TLS and DTLS. SSL_CTX instances that are created for a fixed protocol version (e.g. TLSv1_server_method()) also silently ignore version bounds. Previously attempts to apply bounds to these protocol versions would result in an error. Now only the "version-flexible" SSL_CTX instances are subject to limits in configuration files in command-line options. Expected to resolve #12394 Reviewed-by: Paul Dale <paul.dale@oracle.com> GH: #12472
show more ...
|
Revision tags: openssl-3.0.0-alpha5 |
|
#
e45d9436 |
| 01-Jul-2020 |
Shane Lontis |
Add FIPS related configuration data to the default openssl application configuration file Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/opens
Add FIPS related configuration data to the default openssl application configuration file Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12333)
show more ...
|
Revision tags: openssl-3.0.0-alpha4 |
|
#
6f72b210 |
| 15-Jun-2020 |
haykam821 <24855774+haykam821@users.noreply.github.com> |
Remove whitespace from 'white space' CLA: trivial Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged
Remove whitespace from 'white space' CLA: trivial Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12161)
show more ...
|
#
bb361a27 |
| 16-Jun-2020 |
Sebastian Andrzej Siewior |
DOC: Spelling fixes Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmai
DOC: Spelling fixes Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12172)
show more ...
|
Revision tags: openssl-3.0.0-alpha3, openssl-3.0.0-alpha2, openssl-3.0.0-alpha1, OpenSSL_1_1_1g, OpenSSL_1_1_1f |
|
#
2b9bafe6 |
| 28-Mar-2020 |
Rich Salz |
Rewrite man5/config.pod and related conf code cleanup The manpage is basically rewritten. Use consistent name/value terminology. Use consistent phraseology to refer to section pointers
Rewrite man5/config.pod and related conf code cleanup The manpage is basically rewritten. Use consistent name/value terminology. Use consistent phraseology to refer to section pointers and lists of section pointers. Add more cross-references. Also found a bunch of trivial style things in conf_api.c while investigating how config works. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11431)
show more ...
|
#
22e27978 |
| 20-Mar-2020 |
Shane Lontis |
Add support for passing the libctx to the config loader The self tests for the fips module are triggered on startup and they need to know the core's libctx in order to function correctly
Add support for passing the libctx to the config loader The self tests for the fips module are triggered on startup and they need to know the core's libctx in order to function correctly. As the provider can be autoloaded via configuration it then needs to propagate the callers libctx down to the provider via the config load. Note that OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, ..) is still called, but will only load the default configuration if the OPENSSL_CONF environment variable is set. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11240)
show more ...
|
Revision tags: OpenSSL_1_1_1e |
|
#
0587a3af |
| 16-Feb-2020 |
Alex Boboc |
DOC:Fix typos in man5/config.pod CLA: trivial Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levi
DOC:Fix typos in man5/config.pod CLA: trivial Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11104)
show more ...
|
#
3472082b |
| 24-Jan-2020 |
Benjamin Kaduk |
openssl-config: add example libssl system-defaults Provide a "simple" example for affecting the systemwide default behavior of libssl. The large number of mandatory nested sections make
openssl-config: add example libssl system-defaults Provide a "simple" example for affecting the systemwide default behavior of libssl. The large number of mandatory nested sections makes this less simple than the main description might suggest. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10937)
show more ...
|
Revision tags: OpenSSL_1_0_2u |
|
#
23f39931 |
| 13-Nov-2019 |
Dr. Matthias St. Pierre |
Remove RANDFILE settings from configuration files OpenSSL 1.1.1 introduced a new CSPRNG with an improved seeding mechanism, which makes it dispensable to define a RANDFILE for saving
Remove RANDFILE settings from configuration files OpenSSL 1.1.1 introduced a new CSPRNG with an improved seeding mechanism, which makes it dispensable to define a RANDFILE for saving and restoring randomness. This commit removes the RANDFILE declarations from our own configuration files and adds documentation that this option is not needed anymore and retained mainly for compatibility reasons. Fixes #10433 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10436)
show more ...
|
Revision tags: OpenSSL_1_0_2t, OpenSSL_1_1_0l, OpenSSL_1_1_1d, OpenSSL_1_1_1c, OpenSSL_1_1_0k, OpenSSL_1_0_2s |
|
#
0255c174 |
| 06-May-2019 |
Richard Levitte |
Add a .pragma directive for configuration files Currently added pragma: .pragma dollarid:on This allows dollar signs to be a keyword character unless it's followed by a
Add a .pragma directive for configuration files Currently added pragma: .pragma dollarid:on This allows dollar signs to be a keyword character unless it's followed by a opening brace or parenthesis. Fixes #8207 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8882)
show more ...
|