History log of /openbsd-src/lib/libtls/tls_client.c (Results 1 – 25 of 51)
Revision Date Author Comments
# 40ae7d6b 26-Mar-2024 joshua <joshua@openbsd.org>

Add TLS_ERROR_INVALID_CONTEXT error code to libtls

ok jsing@ beck@


# 7a756d37 26-Mar-2024 joshua <joshua@openbsd.org>

Add error code support to libtls

This adds tls_config_error_code() and tls_error_code(), which will become
public API at a later date.

Additional error codes will be added in follow-up commits.

ok

Add error code support to libtls

This adds tls_config_error_code() and tls_error_code(), which will become
public API at a later date.

Additional error codes will be added in follow-up commits.

ok jsing@ beck@

show more ...


# e6d77be9 14-May-2023 op <op@openbsd.org>

add missing #include <string.h>; ok tb@


# 1b7b92c5 21-Oct-2021 tb <tb@openbsd.org>

Eliminate a dead assignment and a weird cast. Adjust a comment to
reality while there.

ok jsing


# 5beec0e2 01-Jun-2021 tb <tb@openbsd.org>

Update RFC reference. RFC 4366 was obsoleted by RFC 6066.


# bac16b51 01-Jun-2021 tb <tb@openbsd.org>

Avoid sending a trailing dot in SNI as a client

While an FQDN includes a trailing dot for the zero-length label of
the root, SNI explicitly does not contain it. Contrary to other TLS
implementations

Avoid sending a trailing dot in SNI as a client

While an FQDN includes a trailing dot for the zero-length label of
the root, SNI explicitly does not contain it. Contrary to other TLS
implementations, our tlsext_sni_is_valid_hostname() rejects a trailing
dot. The result is that LibreSSL TLS servers encountering an SNI with
trailing dot abort the connection with an illegal_parameter alert.

This fixes an issue reported by danj in nc(1) and by sthen in ftp(1).
DNS cluebat from florian.

ok jsing

show more ...


# b9573a74 19-Mar-2018 jsing <jsing@openbsd.org>

Automatically handle library initialisation for libtls.

Now that we have tls_init() under pthread_once(), automatically initialise
libtls from the entry point functions (tls_config(), tls_client() a

Automatically handle library initialisation for libtls.

Now that we have tls_init() under pthread_once(), automatically initialise
libtls from the entry point functions (tls_config(), tls_client() and
tls_server()) - this makes an explicit tls_init() call no longer a
requirement.

ok bcook@ beck@ inoguchi@

show more ...


# 0dd084b9 10-Feb-2018 jsing <jsing@openbsd.org>

Add support to libtls for client-side TLS session resumption.

A libtls client can specify a session file descriptor (a regular file
with appropriate ownership and permissions) and libtls will manage

Add support to libtls for client-side TLS session resumption.

A libtls client can specify a session file descriptor (a regular file
with appropriate ownership and permissions) and libtls will manage reading
and writing of session data across TLS handshakes.

Discussed at length with deraadt@ and tedu@.

Rides previous minor bump.

ok beck@

show more ...


# 4896de1e 10-Aug-2017 jsing <jsing@openbsd.org>

Add a tls_config_set_ecdhecurves() function to libtls, which allows the
names of the elliptic curves that may be used during client and server
key exchange to be specified.

This deprecates tls_confi

Add a tls_config_set_ecdhecurves() function to libtls, which allows the
names of the elliptic curves that may be used during client and server
key exchange to be specified.

This deprecates tls_config_set_ecdhecurve(), which could only be used to
specify a single supported curve.

ok beck@

show more ...


# d5f88726 07-May-2017 jsing <jsing@openbsd.org>

Ensure that a client context has been connected before attempting to
complete a TLS handshake.


# 5f3c5205 10-Apr-2017 jsing <jsing@openbsd.org>

Rework name verification code so that a match is indicated via an argument,
rather than return codes. More strictly follow RFC 6125, in particular only
check the CN if there are no SAN identifiers pr

Rework name verification code so that a match is indicated via an argument,
rather than return codes. More strictly follow RFC 6125, in particular only
check the CN if there are no SAN identifiers present in the certificate
(per section 6.4.4).

Previous behaviour questioned by Daniel Stenberg <daniel at haxx dot se>.

ok beck@ jca@

show more ...


# 5a752462 26-Jan-2017 jsing <jsing@openbsd.org>

Use a flag to track when we need to call SSL_shutdown(). This avoids an
issue where by calling tls_close() on a TLS context that has not attempted
a handshake, results in an unexpected failure.

Repo

Use a flag to track when we need to call SSL_shutdown(). This avoids an
issue where by calling tls_close() on a TLS context that has not attempted
a handshake, results in an unexpected failure.

Reported by Vinay Sajip.

ok beck@

show more ...


# 59bda8be 12-Jan-2017 jsing <jsing@openbsd.org>

If tls_set_cbs() fails an error will already be specified, so do not
replace it with a less specific one.


# 888c565e 26-Dec-2016 jsing <jsing@openbsd.org>

Hook up a certificate verify callback so that we can set user friendly
error messages, instead of libssl error strings. This gives us messages
like:

certificate verification failed: certificate ha

Hook up a certificate verify callback so that we can set user friendly
error messages, instead of libssl error strings. This gives us messages
like:

certificate verification failed: certificate has expired

Instead of:

14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

This also lets us always enable peer verification since the no verification
case is now handled via the callback.

Tested by tedu@

ok beck@

show more ...


# 2dc6b4e4 02-Nov-2016 beck <beck@openbsd.org>

Add OCSP client side support to libtls.
- Provide access to certificate OCSP URL
- Provide ability to check a raw OCSP reply against an
established TLS ctx
- Check and validate OCSP sta

Add OCSP client side support to libtls.
- Provide access to certificate OCSP URL
- Provide ability to check a raw OCSP reply against an
established TLS ctx
- Check and validate OCSP stapling info in the TLS handshake
if a stapled OCSP response is provided.`

Add example code to show OCSP URL and stapled info
into netcat.

ok jsing@

show more ...


# 2233a86c 04-Sep-2016 jsing <jsing@openbsd.org>

Maintain consistency with function naming.


# ed19021f 04-Sep-2016 bcook <bcook@openbsd.org>

Add callback-based interface to libtls.

This allows working with buffers and callback functions instead of directly on
sockets or file descriptors.
Original patch from Tobias Pape <tobias_at_netshed

Add callback-based interface to libtls.

This allows working with buffers and callback functions instead of directly on
sockets or file descriptors.
Original patch from Tobias Pape <tobias_at_netshed.de>.
ok beck@

show more ...


# b7f318e7 15-Aug-2016 jsing <jsing@openbsd.org>

Explicitly pass in an SSL_CTX * to the functions that operate on one,
instead of assuming that they should use the one associated with the TLS
context. This allows these functions to be used with the

Explicitly pass in an SSL_CTX * to the functions that operate on one,
instead of assuming that they should use the one associated with the TLS
context. This allows these functions to be used with the additional
SSL contexts that are needed to support server-side SNI.

Also rename tls_configure_keypair() to tls_configure_ssl_keypair(), so that
these functions have a common prefix.

ok reyk@

show more ...


# 1fe9fea1 28-Apr-2016 jsing <jsing@openbsd.org>

Factor our the keypair handling in libtls. This results in more readable
and self-contained code, while preparing for the ability to handle
multiple keypairs. Also provide two additional functions th

Factor our the keypair handling in libtls. This results in more readable
and self-contained code, while preparing for the ability to handle
multiple keypairs. Also provide two additional functions that allow
a public certificate and private key to be set with a single function
call.

ok beck@

show more ...


# f053eeae 09-Oct-2015 deraadt <deraadt@openbsd.org>

fix a gotcha in the connect refactoring, that could result in dropping
through and trying to bind failed v6 connects.
ok guenther


# e3007dfe 08-Oct-2015 guenther <guenther@openbsd.org>

If getaddrinfo() succeeds, then don't try look ups with other flags, even
if the connect()s failed. In concert with some resolver fixes in libc,
this lets ntpd be tame()ed

problem isolated by theo,

If getaddrinfo() succeeds, then don't try look ups with other flags, even
if the connect()s failed. In concert with some resolver fixes in libc,
this lets ntpd be tame()ed

problem isolated by theo, who had fun untangling the libc and libtls
behaviors to place blame for not being able to tame ntpd

ok beck@ deraadt@ jsing@

show more ...


# fc5c813d 29-Sep-2015 jsing <jsing@openbsd.org>

Instead of declaring a union in multiple places, move it to tls_internal.h.

ok deraadt@


# 810e306d 29-Sep-2015 deraadt <deraadt@openbsd.org>

clean some ugly intendation warts


# 9ba095aa 12-Sep-2015 jsing <jsing@openbsd.org>

Ensure that we clear the libssl error stack before we make a function call
that we will pass the result through tls_ssl_error() on failure. Otherwise
we can end up reporting spurious errors due to th

Ensure that we clear the libssl error stack before we make a function call
that we will pass the result through tls_ssl_error() on failure. Otherwise
we can end up reporting spurious errors due to their being unrelated errors
already on the error stack.

Spotted by Marko Kreen.

ok beck@

show more ...


# 0fb5de82 11-Sep-2015 beck <beck@openbsd.org>

add tls_peer functions for checking names and issuers of peer certificates.
ok jsing@


123