| Age | Commit message (Collapse) | Author |
|---|
|
Extend SSL_CONF to return command value types.
Add certificate and key options.
Update documentation.
|
|
|
|
|
|
Conflicts:
apps/s_server.c
|
|
|
|
|
|
Experimental support for encrypt then mac from
draft-gutmann-tls-encrypt-then-mac-02.txt
To enable it set the appropriate extension number (0x10 for the test server)
using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x10
For non-compliant peers (i.e. just about everything) this should have no
effect.
|
|
|
|
use of num_renegotiations in TLS and supp data generation callbacks
|
|
|
|
|
|
entries, facilitating RFC 5878 (TLS auth extensions)
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
|
|
|
|
|
|
* Many XMPP servers are configured with multiple domains (virtual hosts)
* In order to establish successfully the TLS connection you have to specify
which virtual host you are trying to connect.
* Test this, for example with ::
* Fail:
openssl s_client -connect talk.google.com:5222 -starttls xmpp
* Works:
openssl s_client -connect talk.google.com:5222 -starttls xmpp -xmpphost gmail.com
|
|
* When the host used in "-connect" is not what the remote XMPP server expects
the server will return an error like this:
<stream:error>
<host-unknown xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
</stream:error>
* But the actual code will stay on the loop forever because the stop condition
"/stream:features>" will never happen,
* Make this more robust: The stop condition should be that BIO_read failed
* Test if for example with ::
openssl s_client -connect random.jabb3r.net:5222 -starttls xmpp
|
|
* Some XMPP Servers (OpenFire) use double quotes.
* This makes s_client starttls work with this servers.
* Tested with OpenFire servers from http://xmpp.net/ ::
openssl s_client -connect coderollers.com:5222 -starttls xmpp
|
|
(cherry picked from commit 90e7f983b573c3f3c722a02db4491a1b1cd87e8c)
|
|
|
|
Conflicts:
ssl/ssltest.c
|
|
This change adds support for ALPN[1] in OpenSSL. ALPN is the IETF
blessed version of NPN and we'll be supporting both ALPN and NPN for
some time yet.
[1] https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-00
Conflicts:
ssl/ssl3.h
ssl/t1_lib.c
|
|
|
|
Add support for custom public key parameters in the cms utility using
the -keyopt switch. Works for -sign and also -encrypt if -recip is used.
|
|
Contributed by Trevor Perrin.
|
|
Add new methods DTLS_*_method() which support both DTLS 1.0 and DTLS 1.2 and
pick the highest version the peer supports during negotiation.
As with SSL/TLS options can change this behaviour specifically
SSL_OP_NO_DTLSv1 and SSL_OP_NO_DTLSv1_2.
|
|
(cherry picked from commit 944bc29f9004cf8851427ebfa83ee70b8399da57)
|
|
Add correct flags for DTLS 1.2, update s_server and s_client to handle
DTLS 1.2 methods.
Currently no support for version negotiation: i.e. if client/server selects
DTLS 1.2 it is that or nothing.
|
|
Submitted by: Pierre Delaage
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Don't verify our own responses.
|
|
|
|
Recognise verification arguments.
|
|
|
|
|
|
trusted store instead of the default which is to return an error if
we can't build the complete chain.
|
|
|
|
|
|
|
|
|
|
|
|
Just a sample, real world applications would have to be cleverer.
|
|
|
|
Add new verify options to set checks.
Remove previous -check* commands from s_client and s_server.
|
|
|
|
|
