| Age | Commit message (Collapse) | Author |
|---|
|
The only support for SSLv2 left is receiving a SSLv2 compatible client hello.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
and UDP header) when setting an mtu. This constant is not always correct (e.g.
if using IPv6). Use the new DTLS_CTRL functions instead.
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
If SSLv2 and SSLv3 are both disabled we still support SSL/TLS.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
|
|
PR#3612
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
|
|
When using the -xcert option to test certificate validity print out
if we pass Suite B compliance. We print out "not tested" if we aren't
in Suite B mode.
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
|
|
If no keyfile has been specified use the certificate file instead.
Fix typo: we need to check the chain is not NULL, not the chain file.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 786370b1b09b919d9306f27336e13783e4fe3fd0)
|
|
When no-ssl3 is set only make SSLv3 disabled by default. Retain -ssl3
options for s_client/s_server/ssltest.
When no-ssl3-method is set SSLv3_*method() is removed and all -ssl3
options.
We should document this somewhere, e.g. wiki, FAQ or manual page.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
The trial division and probable prime with coprime tests are disabled
on WIN32 builds because they use internal functions not exported from
the WIN32 DLLs.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
handling out of #ifndef OPENSSL_NO_DTLS1 section.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
Reviewed-by: Stephen Henson <steve@openssl.org>
|
|
The following #ifdef tests were all removed:
__MWERKS__
MAC_OS_pre_X
MAC_OS_GUSI_SOURCE
MAC_OS_pre_X
OPENSSL_SYS_MACINTOSH_CLASSIC
OPENSSL_SYS_MACOSX_RHAPSODY
Reviewed-by: Andy Polyakov <appro@openssl.org>
|
|
(Original commit adb46dbc6dd7347750df2468c93e8c34bcb93a4b)
Use the new constant-time methods consistently in s3_srvr.c
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
|
|
This is a more comprehensive fix. It changes all
keygen apps to use 2K keys. It also changes the
default to use SHA256 not SHA1. This is from
Kurt's upstream Debian changes.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
|
|
I added some error-checking while integrating this patch.
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
New option allows to perform benchmarks on misaligned data.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
Instead of SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_srv_ext
use SSL_CTX_add_client_custom_ext and SSL_CTX_add_server_custom_ext.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
Support separate parse and add callback arguments.
Add new callback so an application can free extension data.
Change return value for send functions so < 0 is an error 0
omits extension and > 0 includes it. This is more consistent
with the behaviour of other functions in OpenSSL.
Modify parse_cb handling so <= 0 is an error.
Make SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_cli_ext argument
order consistent.
NOTE: these changes WILL break existing code.
Remove (now inaccurate) in line documentation.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
Use "parse" and "add" for function and callback names instead of
"first" and "second".
Change arguments to callback so the extension type is unsigned int
and the buffer length is size_t. Note: this *will* break existing code.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
|
|
Update the dgst.pod page to include SHA224...512 algorithms.
Update apps/progs.pl to add them to the digest command table.
Reviewed-by: Tim Hudson <tjh@cryptosoft.com>
|
|
Undo unapproved commit that removed DJGPP and WATT32
|
|
DJGPP is no longer a supported platform. Remove all #ifdef, etc.,
cases that refer to it. DJGPP also #define'd WATT32, so that
is now removed as well.
|
|
PR#3442
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
The options which emulate a web server don't make sense when doing DTLS.
Exit with an error if an attempt is made to use them.
PR#3453
|
|
PR#3445
|
|
|
|
Reduces number of silly casts in OpenSSL code and likely most
applications. Consistent with (char *) for "peername" value from
X509_check_host() and X509_VERIFY_PARAM_get0_peername().
|
|
|
|
|
|
|
|
Pass address of X509_VERIFY_PARAM_ID peername to X509_check_host().
Document modified interface.
|
|
Remove RFC5878 code. It is no longer needed for CT and has numerous bugs
|
|
|
|
|
|
|
|
We can't unfortunately print the CMAC cipher used without extending the API.
PR#2579
|
|
PR#3412
|
|
If CSR verify fails in ca utility print out error messages.
Otherwise some errors give misleading output: for example
if the key size exceeds the library limit.
PR#2875
|
|
|
|
PR#3107
|
|
PR#3403
|
|
Add -trusted_first description to help messages and man pages
of tools that deal with certificate verification.
|
|
|
|
|
|
|
|
|
