Age | Commit message (Collapse) | Author |
|
Noted by Steffen Ullrich.
ok tb@
|
|
ok inoguchi jmc kn
|
|
|
|
|
|
lines
|
|
|
|
returns 1. verify.c's cb() ignores a bunch of things to display as
much info as possible. Thus, check the error code on the store ctx
as well, similar to OpenSSL commit d9e309a6 (old licence).
This makes openssl verify error on expired certs, at least with the
legacy verify code.
While here, fix a number of style issues, simplify and plug a leak.
ok inoguchi
|
|
(audio.4 tweaked from that submitted)
|
|
and testing purposes.
ok beck inoguchi jsing
|
|
|
|
Otherwise each run of the s_client leaks 16k of memory. This hurts
in interactive mode.
ok inoguchi jsing
|
|
While OCSP uses HTTP/1.0 where a host header is optional, some widely
used OCSP responders will return 400 bad request if it is missing. Add
such a header unless it's already provided in the user's custom headers.
OpenSSL did something similar in ff4a9394a23 and 76e0cd12f68
(both commits are under the old license)
ok inoguchi
|
|
ok inoguchi@ tb@ deraadt@
|
|
On OpenBSD it's necessary to use the eopenssl11 s_server with either -4
or -6 to choose an address family. I often want to try something with an
OpenSSL server and then test the same thing with LibreSSL or vice versa.
Adding and removing -4s on top of editing the command is annoying and
distracting.
This commits teaches our s_server to ignore -4 and -6 and thus makes
commands that work with eopenssl11 more likely to work with openssl(1).
These options are deliberately undocumented and don't show up in help
listings.
ok bcook inoguchi jsing
|
|
|
|
|
|
|
|
input and ok tb@
|
|
ok tb@
|
|
With input from inoguchi@
ok beck@ inoguchi@
|
|
|
|
|
|
|
|
|
|
ok and comments from jsing@
|
|
ok inoguchi@, tb@
|
|
|
|
|
|
ok jmc@
|
|
- Remove space between '*' and pointer variable.
- Add function prototype.
- Move callback function to bottom.
- Move typedef struct to up.
|
|
ok tb@
|
|
|
|
|
|
suggestions and ok beck@ jsing@ tb@
|
|
callback, so its mode is not used to update the ssl's mode, it
seems more appropriate to clear the SSL_MODE_AUTO_RETRY flag on
it as well.
ok jsing
|
|
default. To avoid hanging on a blocking read, we need to clear the
SSL_MODE_AUTO_RETRY flag in the s_client and the s_server.
ok beck inoguchi jsing
|
|
It can be triggered by sending a line to stdin while no connection
is open and then connecting a client. The first SSL_write() fails,
sends SSL_ERROR_WANT_* and then causes a segfault deep down in the
tls stack when accessing &(buf[-1]).
ok beck inoguchi
|
|
(gurn) copies getsockname() retrieves a truncated result and 14 bytes of
stack garbage get copied onwards.
ok tb
|
|
ok jsing@ tb@
|
|
- Add -tls1_3 and -no_tls1_3 to openssl(1) s_server
- Stop using version pinned methods, instead setting the min and max protocol versions
ok jsing@ tb@
|
|
While we are in here also make it notice if time values in a certificate
are bogus, and say so in the output.
ok bcook@ jsing@
|
|
debug is on. otherwise, just retry. Fixes problems this creates in
testing.
ok jsing@ tb@
|
|
Add TLSv1.3 extension type, and sort by the definition order in tls1.h.
This helps that openssl(1) s_server and s_client with -tlsextdebug
displays the TLS extension type instead of "unknown".
ok beck@ jsing@ tb@
|
|
Set initial value to variable 'p' and 'pending'.
Reported and fix requested from leonklingele by GitHub pull request.
https://github.com/libressl-portable/portable/issues/577
https://github.com/libressl-portable/openbsd/pull/114
ok bcook@ jsing@ tb@
|
|
document it and deprecate "openssl s_server -named_curve".
While here, fix the error in the synopsis for "openssl s_client -groups"
and use unified argument naming and similar wording like
in SSL_CTX_set1_groups_list(3).
OK jsing@
|
|
This allows supported EC groups to be configured, which will also control
which TLSv1.3 key shares we'll accept. While here, deprecate the rather
useless -named_curve option, which is effectively the same as -groups with
a single group. Also stop setting a single default group of P-256 via
SSL_CTX_set_tmp_ecdh() - use the library defaults instead.
ok beck@ inoguchi@
|
|
Allow semantic lookup by manually tagging sections (.Sh) for which no
automatic tagging has been implemented; this thereby also eliminates false
positives such that ":tx509<Enter>" now jumps to the X509 section.
feedback remi inoguchi schwarze
OK tb
|
|
Also stop using version pinned methods, instead setting the min and max
protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
|
|
|
|
ok beck jsing
|