| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Use bufsiz - 1 not BUFSIZ - 1 when prompting for a password in
the openssl utility.
Thanks to Rob Mackinnon, Leviathan Security for reporting this issue.
|
|
|
|
|
| |
New -hash_old to generate CRL hashes using old
(before OpenSSL 1.0.0) algorithm.
|
| |
|
|
|
|
|
| |
Add a debugging security callback option to s_client/s_server. This will
print out each security parameter as it is accepted or rejected.
|
|
|
|
|
|
|
|
|
|
| |
New function ssl_cipher_disabled.
Check for disabled client ciphers using ssl_cipher_disabled.
New function to return only supported ciphers.
New option to ciphers utility to print only supported ciphers.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add auto DH parameter support. This is roughly equivalent to the
ECDH auto curve selection but for DH. An application can just call
SSL_CTX_set_auto_dh(ctx, 1);
and appropriate DH parameters will be used based on the size of the
server key.
Unlike ECDH there is no way a peer can indicate the range of DH parameters
it supports. Some peers cannot handle DH keys larger that 1024 bits for
example. In this case if you call:
SSL_CTX_set_auto_dh(ctx, 2);
Only 1024 bit DH parameters will be used.
If the server key is 7680 bits or more in size then 8192 bit DH parameters
will be used: these will be *very* slow.
The old export ciphersuites aren't supported but those are very
insecure anyway.
|
|
|
|
| |
(cherry picked from commit 1f44dac24d1cb752b1a06be9091bb03a88a8598e)
|
|
|
|
|
|
|
|
|
|
|
| |
Add option to set an alternative to the default hmacWithSHA1 PRF
for PKCS#8 private key encryptions. This is used automatically
by PKCS8_encrypt if the nid specified is a PRF.
Add option to pkcs8 utility.
Update docs.
(cherry picked from commit b60272b01fcb4f69201b3e1659b4f7e9e9298dfb)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Windows 8 SDKs complain that GetVersion() is deprecated.
We only use GetVersion like this:
(GetVersion() < 0x80000000)
which checks if the Windows version is NT based. Use a macro check_winnt()
which uses GetVersion() on older SDK versions and true otherwise.
|
|
|
|
|
|
|
|
|
|
| |
New flags to build certificate chains. The can be used to rearrange
the chain so all an application needs to do is add all certificates
in arbitrary order and then build the chain to check and correct them.
Add verify error code when building chain.
Update docs.
|
| |
|
| |
|
| |
|
|
|
|
| |
Add the extension parser in the s_client, ocsp and x509 apps.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If you use "-newkey rsa" it's supposed to read the default number of bits from the
config file. However the value isn't used to generate the key, but it does
print it's generating such a key. The set_keygen_ctx() doesn't call
EVP_PKEY_CTX_set_rsa_keygen_bits() and you end up with the default set in
pkey_rsa_init() (1024). Afterwards the number of bits gets read from the config
file, but nothing is done with that anymore.
We now read the config first and use the value from the config file when no size
is given.
PR: 2592
|
| |
|
| |
|
| |
|
|
|
|
| |
Whitespace fixes
|
|
|
|
|
|
|
|
| |
support sending an alert.
If multiple TLS extensions are expected but not received, the TLS extension and supplemental data 'generate' callbacks are the only chance for the receive-side to trigger a specific TLS alert during the handshake.
Removed logic which no-op'd TLS extension generate callbacks (as the generate callbacks need to always be called in order to trigger alerts), and updated the serverinfo-specific custom TLS extension callbacks to track which custom TLS extensions were received by the client, where no-ops for 'generate' callbacks are appropriate.
|
| |
|
|
|
|
| |
PR#3106
|
|
|
|
|
|
|
|
| |
Extend SSL_CONF to return command value types.
Add certificate and key options.
Update documentation.
|
| |
|
| |
|
|
|
|
|
| |
Conflicts:
apps/s_server.c
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Experimental support for encrypt then mac from
draft-gutmann-tls-encrypt-then-mac-02.txt
To enable it set the appropriate extension number (0x10 for the test server)
using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x10
For non-compliant peers (i.e. just about everything) this should have no
effect.
|
| |
|
|
|
|
| |
use of num_renegotiations in TLS and supp data generation callbacks
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
entries, facilitating RFC 5878 (TLS auth extensions)
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Many XMPP servers are configured with multiple domains (virtual hosts)
* In order to establish successfully the TLS connection you have to specify
which virtual host you are trying to connect.
* Test this, for example with ::
* Fail:
openssl s_client -connect talk.google.com:5222 -starttls xmpp
* Works:
openssl s_client -connect talk.google.com:5222 -starttls xmpp -xmpphost gmail.com
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* When the host used in "-connect" is not what the remote XMPP server expects
the server will return an error like this:
<stream:error>
<host-unknown xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
</stream:error>
* But the actual code will stay on the loop forever because the stop condition
"/stream:features>" will never happen,
* Make this more robust: The stop condition should be that BIO_read failed
* Test if for example with ::
openssl s_client -connect random.jabb3r.net:5222 -starttls xmpp
|
|
|
|
|
|
|
|
| |
* Some XMPP Servers (OpenFire) use double quotes.
* This makes s_client starttls work with this servers.
* Tested with OpenFire servers from http://xmpp.net/ ::
openssl s_client -connect coderollers.com:5222 -starttls xmpp
|
|
|
|
| |
(cherry picked from commit 90e7f983b573c3f3c722a02db4491a1b1cd87e8c)
|
| |
|
|
|
|
|
| |
Conflicts:
ssl/ssltest.c
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change adds support for ALPN[1] in OpenSSL. ALPN is the IETF
blessed version of NPN and we'll be supporting both ALPN and NPN for
some time yet.
[1] https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-00
Conflicts:
ssl/ssl3.h
ssl/t1_lib.c
|
| |
|
|
|
|
|
| |
Add support for custom public key parameters in the cms utility using
the -keyopt switch. Works for -sign and also -encrypt if -recip is used.
|
|
|
|
| |
Contributed by Trevor Perrin.
|
|
|
|
|
|
|
|
| |
Add new methods DTLS_*_method() which support both DTLS 1.0 and DTLS 1.2 and
pick the highest version the peer supports during negotiation.
As with SSL/TLS options can change this behaviour specifically
SSL_OP_NO_DTLSv1 and SSL_OP_NO_DTLSv1_2.
|
|
|
|
| |
(cherry picked from commit 944bc29f9004cf8851427ebfa83ee70b8399da57)
|
|
|
|
|
|
|
|
| |
Add correct flags for DTLS 1.2, update s_server and s_client to handle
DTLS 1.2 methods.
Currently no support for version negotiation: i.e. if client/server selects
DTLS 1.2 it is that or nothing.
|