Dr. Stephen Henson
d09677ac45
Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support and
...
prohibit use of these ciphersuites for TLS < 1.2
2011-07-25 20:41:32 +00:00
Dr. Stephen Henson
8f82912460
Process signature algorithms during TLS v1.2 client authentication.
...
Make sure message is long enough for signature algorithms.
2011-05-12 14:38:01 +00:00
Dr. Stephen Henson
a2f9200fba
Initial TLS v1.2 client support. Include a default supported signature
...
algorithms extension (including everything we support). Swicth to new
signature format where needed and relax ECC restrictions.
Not TLS v1.2 client certifcate support yet but client will handle case
where a certificate is requested and we don't have one.
2011-05-09 15:44:01 +00:00
Dr. Stephen Henson
7409d7ad51
Initial incomplete TLS v1.2 support. New ciphersuites added, new version
...
checking added, SHA256 PRF support added.
At present only RSA key exchange ciphersuites work with TLS v1.2 as the
new signature format is not yet implemented.
2011-04-29 22:56:51 +00:00
Dr. Stephen Henson
08557cf22c
Initial "opaque SSL" framework. If an application defines
...
OPENSSL_NO_SSL_INTERN all ssl related structures are opaque
and internals cannot be directly accessed. Many applications
will need some modification to support this and most likely some
additional functions added to OpenSSL.
The advantage of this option is that any application supporting
it will still be binary compatible if SSL structures change.
2011-04-29 22:37:12 +00:00
Dr. Stephen Henson
23bc7961d2
Fix broken SRP error/function code assignment.
2011-03-16 16:17:46 +00:00
Ben Laurie
edc032b5e3
Add SRP support.
2011-03-12 17:01:19 +00:00
Ben Laurie
bf48836c7c
Fixes to NPN from Adam Langley.
2010-09-05 17:14:01 +00:00
Bodo Möller
7c2d4fee25
For better forward-security support, add functions
...
SSL_[CTX_]set_not_resumable_session_callback.
Submitted by: Emilia Kasper (Google)
[A part of this change affecting ssl/s3_lib.c was accidentally commited
separately, together with a compilation fix for that file;
see s3_lib.c CVS revision 1.133 (http://cvs.openssl.org/chngview?cn=19855 ).]
2010-08-26 15:15:47 +00:00
Dr. Stephen Henson
44959ee456
PR: 1833
...
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de >
Support for abbreviated handshakes when renegotiating.
2010-08-26 14:23:52 +00:00
Ben Laurie
ee2ffc2794
Add Next Protocol Negotiation.
2010-07-28 10:06:55 +00:00
Dr. Stephen Henson
f96ccf36ff
PR: 1830
...
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de >, Steve Henson
Support for RFC5705 key extractor.
2010-07-18 17:43:18 +00:00
Dr. Stephen Henson
b9e7793dd7
oops, revert wrong patch..
2010-07-18 17:43:01 +00:00
Dr. Stephen Henson
d135da5192
Fix warnings (From HEAD, original patch by Ben).
2010-07-18 16:52:47 +00:00
Dr. Stephen Henson
76998a71bc
Updates to conform with draft-ietf-tls-renegotiation-03.txt:
...
1. Add provisional SCSV value.
2. Don't send SCSV and RI at same time.
3. Fatal error is SCSV received when renegotiating.
2010-01-06 17:37:09 +00:00
Dr. Stephen Henson
82a107eaa8
compress_meth should be unsigned
2010-01-06 14:01:45 +00:00
Dr. Stephen Henson
2be3d6ebc8
Client side compression algorithm sanity checks: ensure old compression
...
algorithm matches current and give error if compression is disabled and
server requests it (shouldn't happen unless server is broken).
2010-01-01 14:39:37 +00:00
Dr. Stephen Henson
e6f418bcb7
Compression handling on session resume was badly broken: it always
...
used compression algorithms in client hello (a legacy from when
the compression algorithm wasn't serialized with SSL_SESSION).
2009-12-31 14:13:30 +00:00
Dr. Stephen Henson
ef51b4b9b4
New option to enable/disable connection to unpatched servers
2009-12-16 20:25:59 +00:00
Dr. Stephen Henson
22c2155595
Move SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION out of SSL_OP_ALL and move SSL_OP_NO_TLSv1_1
2009-12-11 00:23:12 +00:00
Dr. Stephen Henson
338a61b94e
Add patch to crypto/evp which didn't apply from PR#2124
2009-12-09 15:01:39 +00:00
Dr. Stephen Henson
7661ccadf0
Add ctrls to clear options and mode.
...
Change RI ctrl so it doesn't clash.
2009-12-09 13:25:16 +00:00
Dr. Stephen Henson
5430200b8b
Add ctrl and macro so we can determine if peer support secure renegotiation.
2009-12-08 13:42:08 +00:00
Dr. Stephen Henson
637f374ad4
Initial experimental TLSv1.1 support
2009-12-07 13:31:02 +00:00
Dr. Stephen Henson
64abf5e657
Include a more meaningful error message when rejecting legacy renegotiation
2009-11-18 14:20:21 +00:00
Dr. Stephen Henson
e0e7997212
First cut of renegotiation extension. (port to HEAD)
2009-11-09 19:03:34 +00:00
Dr. Stephen Henson
7689ed34d3
PR: 2025
...
Submitted by: Tomas Mraz <tmraz@redhat.com >
Approved by: steve@openssl.org
Constify SSL_CIPHER_description
2009-09-12 23:17:39 +00:00
Dr. Stephen Henson
1fc3ac806d
PR: 2033
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de >
Approved by: steve@openssl.org
DTLS listen support.
2009-09-09 17:05:18 +00:00
Dr. Stephen Henson
e0d4e97c1a
Make update, deleting bogus DTLS error code
2009-09-06 15:58:19 +00:00
Dr. Stephen Henson
480b9e5d29
PR: 2006
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de >
Approved by: steve@openssl.org
Do not use multiple DTLS records for a single user message
2009-08-26 11:51:57 +00:00
Dr. Stephen Henson
3ed3603b60
Update default dependency flags.
...
Make error name discrepancies a fatal error.
Fix error codes.
make update
2009-08-12 17:30:37 +00:00
Dr. Stephen Henson
b972fbaa8f
PR: 1997
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de >
Approved by: steve@openssl.org
DTLS timeout handling fix.
2009-08-12 13:19:54 +00:00
Dr. Stephen Henson
4b06d778ad
Update from 1.0.0-stable.
2009-07-15 11:33:24 +00:00
Dr. Stephen Henson
ccf117510d
Update from 1.0.0-stable.
2009-06-30 11:58:10 +00:00
Dr. Stephen Henson
e7deff3cdf
Typo.
2009-04-28 22:36:33 +00:00
Dr. Stephen Henson
8711efb498
Updates from 1.0.0-stable branch.
2009-04-20 11:33:12 +00:00
Dr. Stephen Henson
22c98d4aad
Update from 1.0.0-stable
2009-04-08 16:16:35 +00:00
Dr. Stephen Henson
220bd84911
Updates from 1.0.0-stable
2009-04-06 15:22:01 +00:00
Dr. Stephen Henson
06ddf8eb08
Updates from 1.0.0-stable
2009-04-04 19:54:06 +00:00
Ben Laurie
9b9cb004f7
Deal with the unlikely event that EVP_MD_CTX_size() returns an error.
...
(Coverity ID 140).
2008-12-27 02:09:24 +00:00
Ben Laurie
6ba71a7173
Handle the unlikely event that BIO_get_mem_data() returns -ve.
2008-12-27 02:00:38 +00:00
Ben Laurie
f3b7bdadbc
Integrate J-PAKE and TLS-PSK. Increase PSK buffer size. Fix memory leaks.
2008-11-16 12:47:12 +00:00
Dr. Stephen Henson
12bf56c017
PR: 1574
...
Submitted by: Jouni Malinen <j@w1.fi >
Approved by: steve@openssl.org
Ticket override support for EAP-FAST.
2008-11-15 17:18:12 +00:00
Geoff Thorpe
6343829a39
Revert the size_t modifications from HEAD that had led to more
...
knock-on work than expected - they've been extracted into a patch
series that can be completed elsewhere, or in a different branch,
before merging back to HEAD.
2008-11-12 03:58:08 +00:00
Ben Laurie
5e4430e70d
More size_tification.
2008-11-01 16:40:37 +00:00
Ben Laurie
babb379849
Type-checked (and modern C compliant) OBJ_bsearch.
2008-10-12 14:32:47 +00:00
Dr. Stephen Henson
3ad74edce8
Add SSL_FIPS flag for FIPS 140-2 approved ciphersuites and add a new
...
strength "FIPS" to represent all FIPS approved ciphersuites without NULL
encryption.
2008-09-10 16:02:09 +00:00
Bodo Möller
1cbf663a6c
sanity check
...
PR: 1679
2008-08-13 19:45:06 +00:00
Bodo Möller
474b3b1cc8
Fix error codes for memory-saving patch.
...
Also, get rid of compile-time switch OPENSSL_NO_RELEASE_BUFFERS
because it was rather pointless (the new behavior has to be explicitly
requested by setting SSL_MODE_RELEASE_BUFFERS anyway).
2008-08-04 22:10:38 +00:00
Dr. Stephen Henson
59d2d48f64
Add support for client cert engine setting in s_client app.
...
Add appropriate #ifdefs round client cert functions in headers.
2008-06-03 11:26:27 +00:00