aboutsummaryrefslogtreecommitdiffstats
path: root/CHANGES
Commit message (Collapse)AuthorAgeFilesLines
* correct CHANGESDr. Stephen Henson2012-12-191-2/+2
|
* Make openssl verify return errors.Ben Laurie2012-12-111-0/+4
|
* Fix OCSP checking.Ben Laurie2012-12-071-0/+2
|
* Add code to download CRLs based on CRLDP extension.Dr. Stephen Henson2012-12-061-0/+4
| | | | Just a sample, real world applications would have to be cleverer.
* Integrate host, email and IP address checks into X509_verify.Dr. Stephen Henson2012-12-051-0/+4
| | | | | | Add new verify options to set checks. Remove previous -check* commands from s_client and s_server.
* initial support for delta CRL generations by diffing two full CRLsDr. Stephen Henson2012-12-041-0/+4
|
* New option to add CRLs for s_client and s_server.Dr. Stephen Henson2012-12-021-0/+3
|
* Generalise OCSP I/O functions to support dowloading of other ASN1Dr. Stephen Henson2012-11-281-1/+6
| | | | structures using HTTP. Add wrapper function to handle CRL download.
* New functions to set lookup_crls callback and to retrieve internal X509_STOREDr. Stephen Henson2012-11-271-1/+5
| | | | from X509_STORE_CTX.
* Add support for printing out and retrieving EC point formats extension.Dr. Stephen Henson2012-11-221-0/+4
|
* new function ASN1_TIME_diff to calculate difference between two ASN1_TIME ↵Dr. Stephen Henson2012-11-191-0/+4
| | | | structures
* PR: 2909Dr. Stephen Henson2012-11-181-0/+4
| | | | | | | Contributed by: Florian Weimer <fweimer@redhat.com> Fixes to X509 hostname and email address checking. Wildcard matching support. New test program and manual page.
* add SSL_CONF functions and documentationDr. Stephen Henson2012-11-161-0/+4
|
* New functions to check a hostname email or IP address against aDr. Stephen Henson2012-10-081-0/+5
| | | | | certificate. Add options to s_client, s_server and x509 utilities to print results of checks.
* config: detect linux-mips* targets.Andy Polyakov2012-09-191-0/+4
|
* Add -rev test option to s_server to just reverse order of characters receivedDr. Stephen Henson2012-09-141-0/+5
| | | | | by client and send back to server. Also prints an abbreviated summary of the connection parameters.
* Add -brief option to s_client and s_server to summarise connection details.Dr. Stephen Henson2012-09-121-0/+4
| | | | | New option -verify_quiet to shut up the verify callback unless there is an error.
* Add ctrl and utility functions to retrieve raw cipher list sent by client inDr. Stephen Henson2012-09-121-0/+4
| | | | | | client hello message. Previously this could only be retrieved on an initial connection and it was impossible to determine the cipher IDs of any uknown ciphersuites.
* Minor enhancement to PR#2836 fix. Instead of modifying SSL_get_certificateDr. Stephen Henson2012-09-111-2/+2
| | | | | change the current certificate (in s->cert->key) to the one used and then SSL_get_certificate and SSL_get_privatekey will automatically work.
* Call OCSP Stapling callback after ciphersuite has been chosen, so theBen Laurie2012-09-111-0/+6
| | | | | | right response is stapled. Also change SSL_get_certificate() so it returns the certificate actually sent. See http://rt.openssl.org/Ticket/Display.html?id=2836.
* Harmonize CHANGES in HEAD.Andy Polyakov2012-08-291-59/+67
|
* Add three Suite B modes to TLS code, supporting RFC6460.Dr. Stephen Henson2012-08-151-0/+6
|
* add suite B chain validation flags and associated verify errorsDr. Stephen Henson2012-08-031-0/+4
|
* Make tls1_check_chain return a set of flags indicating checks passedDr. Stephen Henson2012-07-271-0/+6
| | | | | | | | | by a certificate chain. Add additional tests to handle client certificates: checks for matching certificate type and issuer name comparison. Print out results of checks for each candidate chain tested in s_server/s_client.
* Abort handshake if signature algorithm used not supported by peer.Dr. Stephen Henson2012-07-241-0/+6
|
* check EC tmp key matches preferencesDr. Stephen Henson2012-07-241-0/+3
|
* Add support for certificate stores in CERT structure. This makes itDr. Stephen Henson2012-07-231-0/+13
| | | | | | | | | | | | possible to have different stores per SSL structure or one store in the parent SSL_CTX. Include distint stores for certificate chain verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN to build and store a certificate chain in CERT structure: returing an error if the chain cannot be built: this will allow applications to test if a chain is correctly configured. Note: if the CERT based stores are not set then the parent SSL_CTX store is used to retain compatibility with existing behaviour.
* New function ssl_set_client_disabled to set masks for any ciphersuitesDr. Stephen Henson2012-07-181-0/+5
| | | | | that are disabled for this session (as opposed to always disabled by configuration).
* Add new ctrl to retrieve client certificate types, print outDr. Stephen Henson2012-07-081-0/+6
| | | | | | | | | | | | details in s_client. Also add ctrl to set client certificate types. If not used sensible values will be included based on supported signature algorithms: for example if we don't include any DSA signing algorithms the DSA certificate type is omitted. Fix restriction in old code where certificate types would be truncated if it exceeded TLS_CT_NUMBER.
* Separate client and server permitted signature algorithm support: by defaultDr. Stephen Henson2012-07-031-0/+3
| | | | | | the permitted signature algorithms for server and client authentication are the same but it is now possible to set different algorithms for client authentication only.
* Add certificate callback. If set this is called whenever a certificateDr. Stephen Henson2012-06-291-0/+9
| | | | | | | | | is required by client or server. An application can decide which certificate chain to present based on arbitrary criteria: for example supported signature algorithms. Add very simple example to s_server. This fixes many of the problems and restrictions of the existing client certificate callback: for example you can now clear existing certificates and specify the whole chain.
* Add new "valid_flags" field to CERT_PKEY structure which determines whatDr. Stephen Henson2012-06-281-0/+12
| | | | | | | | | | | | the certificate can be used for (if anything). Set valid_flags field in new tls1_check_chain function. Simplify ssl_set_cert_masks which used to have similar checks in it. Add new "cert_flags" field to CERT structure and include a "strict mode". This enforces some TLS certificate requirements (such as only permitting certificate signature algorithms contained in the supported algorithms extension) which some implementations ignore: this option should be used with caution as it could cause interoperability issues.
* Reorganise supported signature algorithm extension processing.Dr. Stephen Henson2012-06-251-0/+6
| | | | | | Only store encoded versions of peer and configured signature algorithms. Determine shared signature algorithms and cache the result along with NID equivalents of each algorithm.
* Add support for application defined signature algorithms for use withDr. Stephen Henson2012-06-221-0/+5
| | | | | | | | TLS v1.2. These are sent as an extension for clients and during a certificate request for servers. TODO: add support for shared signature algorithms, respect shared algorithms when deciding which ciphersuites and certificates to permit.
* Make it possible to delete all certificates from an SSL structure.Dr. Stephen Henson2012-06-181-0/+5
|
* Initial record tracing code. Print out all fields in SSL/TLS recordsDr. Stephen Henson2012-06-151-0/+6
| | | | for debugging purposes. Needs "enable-ssl-trace" configuration option.
* New functions to retrieve certificate signatures and signature OID NID.Dr. Stephen Henson2012-06-131-0/+4
|
* print out issuer and subject unique identifier fields in certificatesDr. Stephen Henson2012-06-121-0/+4
|
* RFC 5878 support.Ben Laurie2012-05-301-0/+3
|
* PR: 2813Dr. Stephen Henson2012-05-111-0/+3
| | | | | | Reported by: Constantine Sapuntzakis <csapuntz@gmail.com> Fix possible deadlock when decoding public keys.
* PR: 2811Dr. Stephen Henson2012-05-111-2/+7
| | | | | | | Reported by: Phil Pennock <openssl-dev@spodhuis.org> Make renegotiation work for TLS 1.2, 1.1 by not using a lower record version client hello workaround if renegotiating.
* Sanity check record length before skipping explicit IV in TLS 1.2, 1.1 andDr. Stephen Henson2012-05-101-0/+8
| | | | | | | | DTLS to fix DoS attack. Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic fuzzing as a service testing platform. (CVE-2012-2333)
* Reported by: Solar Designer of OpenwallDr. Stephen Henson2012-05-101-0/+4
| | | | Make sure tkeylen is initialised properly when encrypting CMS messages.
* Don't try to use unvalidated composite ciphers in FIPS modeDr. Stephen Henson2012-04-261-2/+9
|
* CHANGES: clarify.Andy Polyakov2012-04-261-1/+2
|
* CHANGES: fix typos and clarify.Andy Polyakov2012-04-261-3/+5
|
* Change value of SSL_OP_NO_TLSv1_1 to avoid clash with SSL_OP_ALL andDr. Stephen Henson2012-04-251-0/+11
| | | | OpenSSL 1.0.0. Add CHANGES entry noting the consequences.
* s23_clnt.c: ensure interoperability by maitaining client "version capability"Andy Polyakov2012-04-251-1/+11
| | | | | vector contiguous. PR: 2802
* Check for potentially exploitable overflows in asn1_d2i_read_bioDr. Stephen Henson2012-04-191-1/+10
| | | | | | | | BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer in CRYPTO_realloc_clean. Thanks to Tavis Ormandy, Google Security Team, for discovering this issue and to Adam Langley <agl@chromium.org> for fixing it. (CVE-2012-2110)
* Disable SHA-2 ciphersuites in < TLS 1.2 connections.Bodo Möller2012-04-171-0/+3
| | | | | | | (TLS 1.2 clients could end up negotiating these with an OpenSSL server with TLS 1.2 disabled, which is problematic.) Submitted by: Adam Langley
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-21 17:51:01 +0000