summaryrefslogtreecommitdiff
path: root/usr.bin/openssl
AgeCommit message (Collapse)Author
2021-02-15Only print the certificate file once on verifification failure.Joel Sing
Noted by Steffen Ullrich. ok tb@
2020-12-30Document meaning of '*' in genrsa outputTheo Buehler
ok inoguchi jmc kn
2020-12-16Remove a redundant memset call.Theo Buehler
2020-11-03Wrap remaining overlong lines.Theo Buehler
2020-11-03garbage collect an essentially unused variable and wrap some overlongTheo Buehler
lines
2020-11-03* ptr -> *ptrTheo Buehler
2020-11-03X509_verify_cert()'s return value is not reliable if the callbackTheo Buehler
returns 1. verify.c's cb() ignores a bunch of things to display as much info as possible. Thus, check the error code on the store ctx as well, similar to OpenSSL commit d9e309a6 (old licence). This makes openssl verify error on expired certs, at least with the legacy verify code. While here, fix a number of style issues, simplify and plug a leak. ok inoguchi
2020-11-01some comma fixes; from varik valeforJason McIntyre
(audio.4 tweaked from that submitted)
2020-10-26Add a -legacy_verify flag to force use of the old validator for debuggingTheo Buehler
and testing purposes. ok beck inoguchi jsing
2020-10-14no need to initialize i if it's re-initialized a few lines downTheo Buehler
2020-10-14Free peekaboo pbuf at end of s_client_main()Theo Buehler
Otherwise each run of the s_client leaks 16k of memory. This hurts in interactive mode. ok inoguchi jsing
2020-10-13Make sure an OCSP query sends a host headerTheo Buehler
While OCSP uses HTTP/1.0 where a host header is optional, some widely used OCSP responders will return 400 bad request if it is missing. Add such a header unless it's already provided in the user's custom headers. OpenSSL did something similar in ff4a9394a23 and 76e0cd12f68 (both commits are under the old license) ok inoguchi
2020-10-08set SO_REUSEADDR on the server socket when we play oscp server.Bob Beck
ok inoguchi@ tb@ deraadt@
2020-10-02Add -[46] nops for compatibility with the OpenSSL s_serverTheo Buehler
On OpenBSD it's necessary to use the eopenssl11 s_server with either -4 or -6 to choose an address family. I often want to try something with an OpenSSL server and then test the same thing with LibreSSL or vice versa. Adding and removing -4s on top of editing the command is annoying and distracting. This commits teaches our s_server to ignore -4 and -6 and thus makes commands that work with eopenssl11 more likely to work with openssl(1). These options are deliberately undocumented and don't show up in help listings. ok bcook inoguchi jsing
2020-09-09Wrap long lines, add space in front of goto label in openssl(1) ocsp.cKinichiro Inoguchi
2020-09-09Change SSLv23_client_method to TLS_client_method openssl(1) ocspKinichiro Inoguchi
2020-09-09Remove space between pointer '*' and variable name in ocsp.cKinichiro Inoguchi
2020-09-09Convert openssl(1) ocsp option handlingKinichiro Inoguchi
input and ok tb@
2020-09-09Add option type OPTION_UL_VALUE_ORKinichiro Inoguchi
ok tb@
2020-08-09Convert openssl req option handling.Joel Sing
With input from inoguchi@ ok beck@ inoguchi@
2020-07-27Wrap long lines s_server.cKinichiro Inoguchi
2020-07-27Add function prototype and move sub functions to bottomKinichiro Inoguchi
2020-07-27Remove space between '*' and pointer variable in s_server.cKinichiro Inoguchi
2020-07-27Remove 's_' prefix from member of s_server_config structKinichiro Inoguchi
2020-07-27Convert openssl(1) s_server option handlingKinichiro Inoguchi
ok and comments from jsing@
2020-07-14Convert option handling for openssl(1) verify.Joel Sing
ok inoguchi@, tb@
2020-07-14Remove hyphenKinichiro Inoguchi
2020-07-14Add single space between pem and ...Kinichiro Inoguchi
2020-07-14Add manual for openssl(1) certhashKinichiro Inoguchi
ok jmc@
2020-07-10Clean up s_client.cKinichiro Inoguchi
- Remove space between '*' and pointer variable. - Add function prototype. - Move callback function to bottom. - Move typedef struct to up.
2020-07-10Change variable bio_c_out from global to localKinichiro Inoguchi
ok tb@
2020-07-09Wrap long lines and put space in front of label in s_client.cKinichiro Inoguchi
2020-07-09Remove c_ prefix from s_client_config memberKinichiro Inoguchi
2020-07-09Convert openssl(1) s_client option handlingKinichiro Inoguchi
suggestions and ok beck@ jsing@ tb@
2020-05-23While the second SSL_CTX in this code is only used on servernameTheo Buehler
callback, so its mode is not used to update the ssl's mode, it seems more appropriate to clear the SSL_MODE_AUTO_RETRY flag on it as well. ok jsing
2020-05-23In ssl_lib.c revision 1.217, jsing enabled SSL_MODE_AUTO_RETRY byTheo Buehler
default. To avoid hanging on a blocking read, we need to clear the SSL_MODE_AUTO_RETRY flag in the s_client and the s_server. ok beck inoguchi jsing
2020-05-23Avoid an out-of-bounds array access in the s_server.Theo Buehler
It can be triggered by sending a line to stdin while no connection is open and then connecting a client. The first SSL_write() fails, sends SSL_ERROR_WANT_* and then causes a segfault deep down in the tls stack when accessing &(buf[-1]). ok beck inoguchi
2020-05-22sockaddr should be sockaddr_storage, otherwise "openssl s_client -6 -dtls1"Theo de Raadt
(gurn) copies getsockname() retrieves a truncated result and 14 bytes of stack garbage get copied onwards. ok tb
2020-05-13Add description for -tls1_3 and -no_tls1_3 options to openssl(1) s_serverKinichiro Inoguchi
ok jsing@ tb@
2020-05-13Add -tls1_3 and -no_tls1_3 options to openssl(1) s_serverKinichiro Inoguchi
- Add -tls1_3 and -no_tls1_3 to openssl(1) s_server - Stop using version pinned methods, instead setting the min and max protocol versions ok jsing@ tb@
2020-05-10Make openssl X509 handle the failure case return code from X509_time_cmp.Bob Beck
While we are in here also make it notice if time values in a certificate are bogus, and say so in the output. ok bcook@ jsing@
2020-05-10Conditionalize sleep-before-retry in server code to only be done whenBob Beck
debug is on. otherwise, just retry. Fixes problems this creates in testing. ok jsing@ tb@
2020-04-26Display TLSv1.3 extension type with openssl(1) -tlsextdebugKinichiro Inoguchi
Add TLSv1.3 extension type, and sort by the definition order in tls1.h. This helps that openssl(1) s_server and s_client with -tlsextdebug displays the TLS extension type instead of "unknown". ok beck@ jsing@ tb@
2020-04-26s_client: fix use of possibly uninitialized valuesKinichiro Inoguchi
Set initial value to variable 'p' and 'pending'. Reported and fix requested from leonklingele by GitHub pull request. https://github.com/libressl-portable/portable/issues/577 https://github.com/libressl-portable/openbsd/pull/114 ok bcook@ jsing@ tb@
2020-04-25In s_server.c rev. 1.33, jsing added support for "openssl s_server -groups";Ingo Schwarze
document it and deprecate "openssl s_server -named_curve". While here, fix the error in the synopsis for "openssl s_client -groups" and use unified argument naming and similar wording like in SSL_CTX_set1_groups_list(3). OK jsing@
2020-04-19Add -groups option to openssl(1) s_server.Joel Sing
This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead. ok beck@ inoguchi@
2020-02-19Tag subcommand sectionskn
Allow semantic lookup by manually tagging sections (.Sh) for which no automatic tagging has been implemented; this thereby also eliminates false positives such that ":tx509<Enter>" now jumps to the X509 section. feedback remi inoguchi schwarze OK tb
2020-02-16Add -tls1_3 and -notls1_3 options to openssl(1) s_client.Joel Sing
Also stop using version pinned methods, instead setting the min and max protocol versions. Requested by inoguchi@ ok inoguchi@ tb@
2020-01-25add a couple of XXX for future cleanupTheo Buehler
2020-01-24Teach openssl s_client a bit about TLSv1.3.Theo Buehler
ok beck jsing