Age | Commit message (Collapse) | Author |
|
OpenSSL clients would tolerate temporary RSA keys in non-export
ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
enabled this server side. Remove both options as they are a
protocol violation.
Thanks to Karthikeyan Bhargavan for reporting this issue.
(CVE-2015-0204)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 4b4c1fcc88aec8c9e001b0a0077d3cd4de1ed0e6)
Conflicts:
CHANGES
doc/ssl/SSL_CTX_set_options.pod
ssl/d1_srvr.c
ssl/s3_srvr.c
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
handling out of #ifndef OPENSSL_NO_DTLS1 section.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
statement of opinion rather than a fact.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c8d133e4b6f1ed1b7ad3c1a6d2c62f460e26c050)
|
|
PR#1675
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 197400c3f0d617d71ad8167b52fb73046d334320)
|
|
PR#3456
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit d48e78f0cf22aaddb563f4bcfccf25b1a45ac8a4)
|
|
to bring it up to date
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3bd548192a03142c80cf8bc68659d79dea20a738)
|
|
PR#3452
(cherry picked from commit ca2015a617842fed3d36ed4dcbbf8d5e27bc5216)
|
|
(cherry picked from commit a23a6e85d8dcd5733a343754f434201f3c9aa6f0)
|
|
|
|
(cherry picked from commit 07255f0a76d9d349d915e14f969b9ff2ee0d1953)
|
|
|
|
|
|
-verify_return_error aren't in this release.
|
|
(cherry picked from commit b5071dc2f67d7667ab3cbbe50a30342f999b896a)
Conflicts:
doc/apps/s_client.pod
doc/apps/verify.pod
doc/apps/x509v3_config.pod
doc/crypto/ASN1_generate_nconf.pod
doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod
doc/ssl/SSL_CONF_cmd.pod
doc/ssl/SSL_CONF_cmd_argv.pod
doc/ssl/SSL_CTX_set_cert_cb.pod
doc/ssl/SSL_CTX_set_security_level.pod
|
|
ERR_get_error(3) references the non-existent
ERR_get_last_error_line_data instead of the one that does exist,
ERR_peek_last_error_line_data.
PR#3283
(cherry picked from commit 5cc99c6cf5e908df6b00b04af7f08e99c0698c7b)
|
|
PR#3173
(cherry picked from commit 76ed5a42ea68dd08bba44e4003b7e638e5d8a4a3)
|
|
Document that the certificate passed to SSL_CTX_add_extra_chain_cert()
should not be freed by the application.
PR#3409
Add restrictions section present in other branches.
(cherry picked from commit 86cac6d3b25342ff17a2b6564f7592fd7c6829e8)
|
|
PR: 2678
Submitted by: Annie Yousar
(cherry picked from commit d572544a2cccc9dad7afcef24de11232e5506c99)
|
|
|
|
PR#3357
(cherry picked from commit ca3ffd9670f2b589bf8cc04923f953e06d6fbc58)
Conflicts:
doc/apps/smime.pod
|
|
wrong branch
|
|
|
|
|
|
|
|
(cherry picked from commit 3143a332e8f2f5ca1a6f0262a1a1a66103f2adf7)
|
|
Remove reference to ERR_TXT_MALLOCED in the error library as that is
only used internally. Indicate that returned error data must not be
freed.
(cherry picked from commit f2d678e6e89b6508147086610e985d4e8416e867)
|
|
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
|
|
(cherry picked from commit 3a918ea2bbf4175d9461f81be1403d3781b2c0dc)
|
|
podlators 2.5.0 has switched to dying on POD syntax errors. This means
that a bunch of long-standing erroneous POD in the openssl documentation
now leads to fatal errors from pod2man, halting installation.
Unfortunately POD constraints mean that you have to sort numeric lists
in ascending order if they start with 1: you cannot do 1, 0, 2 even if
you want 1 to appear first. I've reshuffled such (alas, I wish there
were a better way but I don't know of one).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Submitted By: Ger Hobbelt <ger@hobbelt.com>
Update docs to BIO_f_buffer()
|
|
directly by SSL/TLS SHA2 certificates are becoming more common and
applications that only call SSL_library_init() and not
OpenSSL_add_all_alrgorithms() will fail when verifying certificates.
Update docs.
|
|
|
|
Submitted Daniel Mentz <danielml@sent.com>
Documentation typo.
|
|
Submitted by: Mike Frysinger <vapier@gentoo.org>
Add includes in synopsis, fix some indents. For some reason this never got
applied to the 0.9.8-stable branch.
|
|
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT error codes were reversed in
the verify application documentation.
|
|
|
|
initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway.
|
|
|
|
|
|
|
|
|
|
|
|
Initial secure renegotiation documentation.
|