Age | Commit message (Collapse) | Author |
|
I also found a couple of others (padlock and signinit)
and fixed them.
Reviewed-by: Emilia Kasper <emilia@openssl.org>
|
|
The file param is "const char*" not "char*"
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
|
|
While RFC6367 focuses on Camellia-GCM cipher suites, it also adds a few
cipher suites that use SHA-2 based HMAC that can be very easily
added.
Tested against gnutls 3.3.5
PR#3443
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
In two OpenSSL manual pages, in the NAME section, the last word of the
name list is followed by a stray trailing comma. While this may seem
minor, it is worth fixing because it may confuse some makewhatis(8)
implementations.
While here, also add the missing word "size" to the one line
description in SSL_CTX_set_max_cert_list(3).
Reviewed by: Dr Stephen Henson <shenson@drh-consultancy.co.uk>
|
|
Update the dgst.pod page to include SHA224...512 algorithms.
Update apps/progs.pl to add them to the digest command table.
Reviewed-by: Tim Hudson <tjh@cryptosoft.com>
|
|
The x509_extensions should be req_extensions in the
config example in req.pod
Reviewed-by: tjh@cryptsoft.com
|
|
Reviewed-by: Emilia Kasper
Many of these were already fixed, this catches the last
few that were missed.
|
|
statement of opinion rather than a fact.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
PR#1675
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
PR#3456
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
to bring it up to date
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
PR#3452
|
|
Add description of the option to advertise support of
Next Protocol Negotiation extension (-nextprotoneg) to
man pages of s_client and s_server.
PR#3444
|
|
|
|
Based on feedback from Jeffrey Walton.
|
|
Reduces number of silly casts in OpenSSL code and likely most
applications. Consistent with (char *) for "peername" value from
X509_check_host() and X509_VERIFY_PARAM_get0_peername().
|
|
|
|
|
|
|
|
Pass address of X509_VERIFY_PARAM_ID peername to X509_check_host().
Document modified interface.
|
|
Declaration, memory management, accessor and documentation.
|
|
(cherry picked from commit 2cfbec1caea8f9567bdff85d33d22481f2afb40a)
|
|
Remove RFC5878 code. It is no longer needed for CT and has numerous bugs
|
|
|
|
|
|
298 424 656 882 939 1630 1807 2263 2294 2311 2424 2623
2637 2686 2697 2921 2922 2940 3055 3112 3156 3177 3277
|
|
ERR_get_error(3) references the non-existent
ERR_get_last_error_line_data instead of the one that does exist,
ERR_peek_last_error_line_data.
PR#3283
|
|
|
|
|
|
|
|
|
|
|
|
IN parameter.
Under the old docs, the only thing stated was "at most
EVP_PKEY_size(pkey) bytes will be written". It was kind of misleading
since it appears EVP_PKEY_size(pkey) WILL be written regardless of the
signature's buffer size.
|
|
PR#3173
|
|
Update protocols supported and note that SSLv2 is effectively disabled
by default.
PR#3184
|
|
|
|
Document that the certificate passed to SSL_CTX_add_extra_chain_cert()
should not be freed by the application.
PR#3409
|
|
Implemented as STACK_OF(OPENSSL_STRING).
|
|
|
|
|
|
cms, ocsp, s_client, s_server and smime tools also use args_verify()
for parsing options, that makes them most of the same options
verify tool does. Add those options to man pages and reference
their explanation in the verify man page.
|
|
just making sure the options are listed in the alphabetical order
both in SYNOPSIS and DESCRIPTION, no text changes
|
|
The options related to policy used for verification, verification
of subject names in certificate and certificate chain handling
were missing in the verify(1) man page. This fixes this issue.
|
|
-CAfile and -CApath is documented in OPTIONS but is missing
in SYNOPSIS, add them there
|
|
Add -trusted_first description to help messages and man pages
of tools that deal with certificate verification.
|
|
|
|
A client reference identity of ".example.com" matches a server
certificate presented identity that is any sub-domain of "example.com"
(e.g. "www.sub.example.com).
With the X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS flag, it matches
only direct child sub-domains (e.g. "www.sub.example.com").
|
|
* Make a clear distinction between DH and ECDH key exchange.
* Group all key exchange cipher suite identifiers, first DH then ECDH
* add descriptions for all supported *DH* identifiers
* add ECDSA authentication descriptions
* add example showing how to disable all suites that offer no
authentication or encryption
|
|
|
|
Add TLS padding extension to SSL_OP_ALL so it is used with other
"bugs" options and can be turned off.
This replaces SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG which is an ancient
option referring to SSLv2 and SSLREF.
PR#3336
|