| Age | Commit message (Collapse) | Author |
|---|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
once the ChangeCipherSpec message is received. Previously, the server would
set the flag once at SSL3_ST_SR_CERT_VRFY and again at SSL3_ST_SR_FINISHED.
This would allow a second CCS to arrive and would corrupt the server state.
(Because the first CCS would latch the correct keys and subsequent CCS
messages would have to be encrypted, a MitM attacker cannot exploit this,
though.)
Thanks to Joeri de Ruiter for reporting this issue.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e94a6c0ede623960728415b68650a595e48f5a43)
Conflicts:
CHANGES
ssl/s3_srvr.c
|
|
The client sends a session ID with the session ticket, and uses
the returned ID to detect resumption, so we do not need to peek
at handshake messages: s->hit tells us explicitly if we're resuming.
An equivalent change was independently made in BoringSSL, see commit
407886f589cf2dbaed82db0a44173036c3bc3317.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 980bc1ec6114f5511b20c2e6ca741e61a39b99d6)
Conflicts:
ssl/d1_clnt.c
ssl/s3_clnt.c
|
|
CVE-2014-3510
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
|
|
PR#3449
|
|
PR: 2808
With DTLS/SCTP the SCTP extension SCTP-AUTH is used to protect DATA and
FORWARD-TSN chunks. The key for this extension is derived from the
master secret and changed with the next ChangeCipherSpec, whenever a new
key has been negotiated. The following Finished then already uses the
new key. Unfortunately, the ChangeCipherSpec and Finished are part of
the same flight as the ClientKeyExchange, which is necessary for the
computation of the new secret. Hence, these messages are sent
immediately following each other, leaving the server very little time to
compute the new secret and pass it to SCTP before the finished arrives.
So the Finished is likely to be discarded by SCTP and a retransmission
becomes necessary. To prevent this issue, the Finished of the client is
still sent with the old key.
(cherry picked from commit 9fb523adce6fd6015b68da2ca8e4ac4900ac2be2)
(cherry picked from commit b9ef52b07897f249a9fa44943dba33fba8fb2721)
|
|
|
|
|
|
I'll be using this to make an option for randomizing the time.
|
|
Instead, send random bytes.
While the gmt_unix_time record was added in an ostensible attempt to
mitigate the dangers of a bad RNG, its presence leaks the host's view
of the current time in the clear. This minor leak can help
fingerprint TLS instances across networks and protocols... and what's
worse, it's doubtful thet the gmt_unix_time record does any good at
all for its intended purpose, since:
* It's quite possible to open two TLS connections in one second.
* If the PRNG output is prone to repeat itself, ephemeral
* handshakes (and who knows what else besides) are broken.
|
|
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Fix possible DTLS timer deadlock.
|
|
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve
Support for TLS/DTLS heartbeats.
|
|
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve
Add SCTP support for DTLS (RFC 6083).
|
|
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve
Fix DTLS session resumption timer bug.
|
|
|
|
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>
Fix other cases not covered by original patch.
|
|
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>
Support for abbreviated handshakes when renegotiating.
|
|
Submitted by: steve@openssl.org
More robust fix and workaround for PR#1949. Don't try to work out if there
is any write pending data as this can be unreliable: always flush.
|
|
|
|
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Add extension support to DTLS code mainly using existing implementation for
TLS.
|
|
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org
Add Renegotiation extension to DTLS, fix DTLS ClientHello processing bug.
|
|
Fix from 0.9.8-stable.
|
|
|
|
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve@openssl.org
DTLS fragment retransmission bug.
|
|
Submitted by: Michael Tuexen <tuexen@fh-muenster.de>
Reviewed by: steve@openssl.org
Add ECDHE and PSK support to DTLS.
|
|
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org
DTLS Timer bug fix.
|
|
|
|
|
|
Submitted by: David Woodhouse <dwmw2@infradead.org>
Approved by: steve@openssl.org
Compatibility patches for Cisco VPN client DTLS.
|
|
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org
DTLS Timer Bug fix.
|
|
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org
Update patch for PR#1647.
|
|
|
|
|
|
OPENSSL_NO_DEPRECATED, etc. Steve, please double-check the CMS stuff...
|
|
|
|
HelloVerifyRequest.
|
|
Submitted by: Victor B. Wagner <vitus@cryptocom.ru>
|
|
ciphersuite selection code in HEAD
Submitted by: Victor Duchovni
|
|
This change resolves a number of problems and obviates multiple kludges.
A new feature is that you can now say "AES256" or "AES128" (not just
"AES", which enables both).
In some cases the ciphersuite list generated from a given string is
affected by this change. I hope this is just in those cases where the
previous behaviour did not make sense.
|
|
|
|
|
|
pointer and make the SSL_METHOD parameter in SSL_CTX_new,
SSL_CTX_set_ssl_version and SSL_set_ssl_method const.
|
|
for locking code. The CRYPTO_LOCK_SSL_METHOD lock is now no longer used.
|
|
|
|
./configure no-deprecated [no-dsa] [no-dh] [no-ec] [no-rsa]
make depend all test
work again
PR: 1159
|
|
with the SSL_OP_NO_SSLv2 option.
|
|
move some functions from exported header <openssl/dtl1.h> into "ssl_locl.h";
fix silly indentation (a TAB is *not* always 4 spaces)
|
|
|
