| #
2c382349 |
| 14-Mar-2015 |
Kurt Roeckx |
Remove ssl_cert_inst()
It created the cert structure in SSL_CTX or SSL if it was NULL, but they can
never be NULL as the comments already said.
Reviewed-by: Dr. Stephen Henson <
Remove ssl_cert_inst()
It created the cert structure in SSL_CTX or SSL if it was NULL, but they can
never be NULL as the comments already said.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
show more ...
|
| #
10bf4fc2 |
| 10-Mar-2015 |
Rich Salz |
Merge OPENSSL_NO_EC{DH,DSA} into OPENSSL_NO_EC
Suggested by John Foley <foleyj@cisco.com>.
Reviewed-by: Matt Caswell <matt@openssl.org>
|
| #
a258afaf |
| 27-Feb-2015 |
Rich Salz |
Remove experimental 56bit export ciphers
These ciphers are removed:
TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5
TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
TLS1_CK_RSA_EXPO
Remove experimental 56bit export ciphers
These ciphers are removed:
TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5
TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
TLS1_CK_DHE_DSS_WITH_RC4_128_SHA
They were defined in a long-expired IETF internet-draft:
draft-ietf-tls-56-bit-ciphersuites-01.txt
Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
| #
9e9858d1 |
| 06-Feb-2015 |
Rich Salz |
dead code cleanup: #if 0 in ssl
I left many "#if 0" lines, usually because I thought we would
probably want to revisit them later, or because they provided
some useful internal docum
dead code cleanup: #if 0 in ssl
I left many "#if 0" lines, usually because I thought we would
probably want to revisit them later, or because they provided
some useful internal documentation tips.
Reviewed-by: Andy Polyakov <appro@openssl.org>
show more ...
|
| #
8dd94afb |
| 05-Feb-2015 |
Rich Salz |
Live code cleanup; #if 1 removal
A few minor cleanups to remove pre-processor "#if 1" stuff.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
| #
c6ef15c4 |
| 29-Jan-2015 |
Richard Levitte |
clang on Linux x86_64 complains about unreachable code.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
| #
68fd6dce |
| 28-Jan-2015 |
Rich Salz |
Remove support for opaque-prf
An expired IETF Internet-Draft (seven years old) that nobody
implements, and probably just as good as NSA DRBG work.
Reviewed-by: Richard Levitte <
Remove support for opaque-prf
An expired IETF Internet-Draft (seven years old) that nobody
implements, and probably just as good as NSA DRBG work.
Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
| #
646e8c1d |
| 28-Jan-2015 |
Rich Salz |
Dead code removal: Fortezza identifiers
Not interested in helping the NSA in the slightest.
And anyway, it was never implemented, #if'd out.
Reviewed-by: Richard Levitte <levitt
Dead code removal: Fortezza identifiers
Not interested in helping the NSA in the slightest.
And anyway, it was never implemented, #if'd out.
Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
| #
0f113f3e |
| 22-Jan-2015 |
Matt Caswell |
Run util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
| #
a7b1eed5 |
| 21-Jan-2015 |
Matt Caswell |
More indent fixes for STACK_OF
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
| #
6d23cf97 |
| 12-Jan-2015 |
Rich Salz |
RT3548: Remove unsupported platforms
This last one for this ticket. Removes WIN16.
So long, MS_CALLBACK and MS_FAR. We won't miss you.
Reviewed-by: Richard Levitte <levitte@op
RT3548: Remove unsupported platforms
This last one for this ticket. Removes WIN16.
So long, MS_CALLBACK and MS_FAR. We won't miss you.
Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
| #
3ddb2914 |
| 16-Dec-2014 |
Richard Levitte |
Clear warnings/errors within KSSL_DEBUG code sections
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
| #
72b5d03b |
| 16-Dec-2014 |
Richard Levitte |
Clear warnings/errors within CIPHER_DEBUG code sections
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
| #
af6e2d51 |
| 18-Nov-2014 |
Matt Caswell |
Add OPENSSL_NO_ECDH guards
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
| #
45f55f6a |
| 30-Nov-2014 |
Kurt Roeckx |
Remove SSLv2 support
The only support for SSLv2 left is receiving a SSLv2 compatible client hello.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Revision tags: OpenSSL-fips-2_0_9, OpenSSL_1_0_1j, OpenSSL_1_0_0o, OpenSSL_0_9_8zc |
|
| #
cf6da053 |
| 15-Oct-2014 |
Bodo Moeller |
Support TLS_FALLBACK_SCSV.
Reviewed-by: Stephen Henson <steve@openssl.org>
|
|
Revision tags: OpenSSL_1_0_2-beta3 |
|
| #
707b026d |
| 12-Aug-2014 |
Dr. Stephen Henson |
Remove serverinfo checks.
Since sanity checks are performed for all custom extensions the
serverinfo checks are no longer needed.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
Revision tags: OpenSSL_0_9_8zb, OpenSSL_1_0_0n, OpenSSL_1_0_1i |
|
| #
75048789 |
| 23-Jul-2014 |
Hubert Kario |
Add support for Camellia HMAC-Based cipher suites from RFC6367
While RFC6367 focuses on Camellia-GCM cipher suites, it also adds a few
cipher suites that use SHA-2 based HMAC that can be
Add support for Camellia HMAC-Based cipher suites from RFC6367
While RFC6367 focuses on Camellia-GCM cipher suites, it also adds a few
cipher suites that use SHA-2 based HMAC that can be very easily
added.
Tested against gnutls 3.3.5
PR#3443
Reviewed-by: Tim Hudson <tjh@openssl.org>
show more ...
|
| #
9e72d496 |
| 08-Aug-2014 |
Dr. Stephen Henson |
Fix SRP authentication ciphersuites.
The addition of SRP authentication needs to be checked in various places
to work properly. Specifically:
A certificate is not sent.
A ce
Fix SRP authentication ciphersuites.
The addition of SRP authentication needs to be checked in various places
to work properly. Specifically:
A certificate is not sent.
A certificate request must not be sent.
Server key exchange message must not contain a signature.
If appropriate SRP authentication ciphersuites should be chosen.
Reviewed-by: Matt Caswell <matt@openssl.org>
show more ...
|
|
Revision tags: OpenSSL_1_0_2-beta2, OpenSSL-fips-2_0_8 |
|
| #
8892ce77 |
| 29-Jun-2014 |
Ben Laurie |
Constification - mostly originally from Chromium.
|
| #
e6332489 |
| 27-Jun-2014 |
PK |
Add SHA256 Camellia ciphersuites from RFC5932
PR#2800
|
| #
447280ca |
| 09-Jun-2014 |
Dr. Stephen Henson |
SRP ciphersuite correction.
SRP ciphersuites do not have no authentication. They have authentication
based on SRP. Add new SRP authentication flag and cipher string.
|
| #
1bea384f |
| 09-Jun-2014 |
Dr. Stephen Henson |
Update strength_bits for 3DES.
Fix strength_bits to 112 for 3DES.
|
|
Revision tags: OpenSSL_1_0_1h, OpenSSL_1_0_0m, OpenSSL_0_9_8za, OpenSSL-fips-2_0_7, OpenSSL_1_0_1g, OpenSSL_1_0_2-beta1, OpenSSL_1_0_0l, OpenSSL_1_0_1f, OpenSSL-fips-2_0_6, OpenSSL-fips-2_0_5, OpenSSL-fips-2_0_4 |
|
| #
b362ccab |
| 15-Dec-2013 |
Dr. Stephen Henson |
Security framework.
Security callback: selects which parameters are permitted including
sensible defaults based on bits of security.
The "parameters" which can be selected inclu
Security framework.
Security callback: selects which parameters are permitted including
sensible defaults based on bits of security.
The "parameters" which can be selected include: ciphersuites,
curves, key sizes, certificate signature algorithms, supported
signature algorithms, DH parameters, SSL/TLS version, session tickets
and compression.
In some cases prohibiting the use of a parameters will mean they are
not advertised to the peer: for example cipher suites and ECC curves.
In other cases it will abort the handshake: e.g DH parameters or the
peer key size.
Documentation to follow...
show more ...
|
| #
09599b52 |
| 22-Jan-2014 |
Dr. Stephen Henson |
Auto DH support.
Add auto DH parameter support. This is roughly equivalent to the
ECDH auto curve selection but for DH. An application can just call
SSL_CTX_set_auto_dh(ctx, 1);
Auto DH support.
Add auto DH parameter support. This is roughly equivalent to the
ECDH auto curve selection but for DH. An application can just call
SSL_CTX_set_auto_dh(ctx, 1);
and appropriate DH parameters will be used based on the size of the
server key.
Unlike ECDH there is no way a peer can indicate the range of DH parameters
it supports. Some peers cannot handle DH keys larger that 1024 bits for
example. In this case if you call:
SSL_CTX_set_auto_dh(ctx, 2);
Only 1024 bit DH parameters will be used.
If the server key is 7680 bits or more in size then 8192 bit DH parameters
will be used: these will be *very* slow.
The old export ciphersuites aren't supported but those are very
insecure anyway.
show more ...
|
