| Age | Commit message (Collapse) | Author |
|---|
|
While RFC6367 focuses on Camellia-GCM cipher suites, it also adds a few
cipher suites that use SHA-2 based HMAC that can be very easily
added.
Tested against gnutls 3.3.5
PR#3443
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Update the dgst.pod page to include SHA224...512 algorithms.
Update apps/progs.pl to add them to the digest command table.
Reviewed-by: Tim Hudson <tjh@cryptosoft.com>
|
|
The x509_extensions should be req_extensions in the
config example in req.pod
Reviewed-by: tjh@cryptsoft.com
|
|
PR#3452
|
|
Add description of the option to advertise support of
Next Protocol Negotiation extension (-nextprotoneg) to
man pages of s_client and s_server.
PR#3444
|
|
|
|
(cherry picked from commit 2cfbec1caea8f9567bdff85d33d22481f2afb40a)
|
|
Remove RFC5878 code. It is no longer needed for CT and has numerous bugs
|
|
298 424 656 882 939 1630 1807 2263 2294 2311 2424 2623
2637 2686 2697 2921 2922 2940 3055 3112 3156 3177 3277
|
|
|
|
|
|
|
|
cms, ocsp, s_client, s_server and smime tools also use args_verify()
for parsing options, that makes them most of the same options
verify tool does. Add those options to man pages and reference
their explanation in the verify man page.
|
|
just making sure the options are listed in the alphabetical order
both in SYNOPSIS and DESCRIPTION, no text changes
|
|
The options related to policy used for verification, verification
of subject names in certificate and certificate chain handling
were missing in the verify(1) man page. This fixes this issue.
|
|
-CAfile and -CApath is documented in OPTIONS but is missing
in SYNOPSIS, add them there
|
|
Add -trusted_first description to help messages and man pages
of tools that deal with certificate verification.
|
|
|
|
* Make a clear distinction between DH and ECDH key exchange.
* Group all key exchange cipher suite identifiers, first DH then ECDH
* add descriptions for all supported *DH* identifiers
* add ECDSA authentication descriptions
* add example showing how to disable all suites that offer no
authentication or encryption
|
|
the verify app man page didn't describe the usage of attime option
even though it was listed as a valid option in the -help message.
This patch fixes this omission.
|
|
While the -help message references this option, the man page
doesn't mention the -no_ecdhe option.
This patch fixes this omission.
|
|
|
|
to the BEGIN marker
|
|
the master key in NSS keylog format. PR#3352
|
|
|
|
PR#3357
|
|
SUPPORTED CIPHERS section (bug has been fixed, but still no support for AEAD)
|
|
|
|
|
|
|
|
|
|
Specify -f is for compilation flags. Add -d to synopsis section.
Closes #77.
|
|
|
|
|
|
|
|
|
|
Add option to set an alternative to the default hmacWithSHA1 PRF
for PKCS#8 private key encryptions. This is used automatically
by PKCS8_encrypt if the nid specified is a PRF.
Add option to pkcs8 utility.
Update docs.
(cherry picked from commit b60272b01fcb4f69201b3e1659b4f7e9e9298dfb)
|
|
|
|
apps/pkcs12.c accepts -password as an argument. The document author
almost certainly meant to write "-password, -passin".
However, that is not correct, either. Actually the code treats
-password as equivalent to -passin, EXCEPT when -export is also
specified, in which case -password as equivalent to -passout.
|
|
|
|
change documentation and comments to indicate that we prefer the
standard "DHE" naming scheme everywhere over the older "EDH"
|
|
DHE is the standard term used by the RFCs and by other TLS
implementations. It's useful to have the internal variables use the
standard terminology.
This patch leaves a synonym SSL_kEDH in place, though, so that older
code can still be built against it, since that has been the
traditional API. SSL_kEDH should probably be deprecated at some
point, though.
|
|
|
|
Newer pod2man considers =item [1-9] part of a numbered list, while =item
0 starts an unnumbered list. Add a zero effect formatting mark to override
this.
doc/apps/smime.pod around line 315: Expected text after =item, not a
number
...
PR#3146
|
|
entries, facilitating RFC 5878 (TLS auth extensions)
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
|
|
|
|
* Many XMPP servers are configured with multiple domains (virtual hosts)
* In order to establish successfully the TLS connection you have to specify
which virtual host you are trying to connect.
* Test this, for example with ::
* Fail:
openssl s_client -connect talk.google.com:5222 -starttls xmpp
* Works:
openssl s_client -connect talk.google.com:5222 -starttls xmpp -xmpphost gmail.com
|
|
|
|
|
|
|
