| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
|
|
|
|
| |
Add new verify options to set checks.
Remove previous -check* commands from s_client and s_server.
|
| |
|
| |
|
|
|
|
|
|
| |
Tidy CRL scoring system.
Add new CRL path validation error.
|
|
|
|
| |
TODO: robustness checking on name forms.
|
|
|
|
| |
Submitted by: Martin.Kraemer@Fujitsu-Siemens.com
|
| |
|
|
|
|
| |
handling to support this.
|
|
|
|
| |
a security threat on unexpecting applications. Document and test.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
CA setting in each certificate on the chain is correct. As a side-
effect always do the following basic checks on extensions, not just
when there's an associated purpose to the check:
- if there is an unhandled critical extension (unless the user has
chosen to ignore this fault)
- if the path length has been exceeded (if one is set at all)
- that certain extensions fit the associated purpose (if one has been
given)
|
|
|
|
|
|
|
|
|
|
| |
This tidies up verify parameters and adds support for integrated policy
checking.
Add support for policy related command line options. Currently only in smime
application.
WARNING: experimental code subject to change.
|
|
|
|
|
|
| |
when X509_V_FLAG_X509_STRICT is set. Check for CRLSign in
CRL issuer certificates. Reject CRLs with unhandled (any)
critical extensions.
|
|
|
|
|
|
|
| |
Use BUF_strlcat() instead of strcat().
Use BIO_snprintf() instead of sprintf().
In some cases, keep better track of buffer lengths.
This is part of a large change submitted by Markus Friedl <markus@openbsd.org>
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The old code was painfully primitive and couldn't handle
distinct certificates using the same subject name.
The new code performs several tests on a candidate issuer
certificate based on certificate extensions.
It also adds several callbacks to X509_VERIFY_CTX so its
behaviour can be customised.
Unfortunately some hackery was needed to persuade X509_STORE
to tolerate this. This should go away when X509_STORE is
replaced, sometime...
This must have broken something though :-(
|
|
|
|
|
|
|
|
| |
trust settings of the root CA.
After a few fixes it seems to work OK.
Still need to add support to SSL and S/MIME code though.
|
|
|
|
|
| |
at present. However nothing enables it yet so this doesn't
matter :-)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will soon be complemented with MacOS specific source code files and
INSTALL.MacOS.
I (Andy) have decided to get rid of a number of #include <sys/types.h>.
I've verified it's ok (both by examining /usr/include/*.h and compiling)
on a number of Unix platforms. Unfortunately I don't have Windows box
to verify this on. I really appreciate if somebody could try to compile
it and contact me a.s.a.p. in case a problem occurs.
Submitted by: Roy Wood <roy@centricsystems.ca>
Reviewed by: Andy Polyakov <appro@fy.chalmers.se>
|
|
|
|
|
|
| |
Submitted by:
Reviewed by:
PR:
|
| |
|
| |
|
|
|
|
|
| |
X509_V_ERR_CERT_REVOKED/23 error number which can occur when a
verify callback function determined that a certificate was revoked.
|
| |
|
| |
|
|
|