| #
40ae7d6b |
| 26-Mar-2024 |
joshua <joshua@openbsd.org> |
Add TLS_ERROR_INVALID_CONTEXT error code to libtls
ok jsing@ beck@
|
| #
7a756d37 |
| 26-Mar-2024 |
joshua <joshua@openbsd.org> |
Add error code support to libtls
This adds tls_config_error_code() and tls_error_code(), which will become
public API at a later date.
Additional error codes will be added in follow-up commits.
ok
Add error code support to libtls
This adds tls_config_error_code() and tls_error_code(), which will become
public API at a later date.
Additional error codes will be added in follow-up commits.
ok jsing@ beck@
show more ...
|
| #
e6d77be9 |
| 14-May-2023 |
op <op@openbsd.org> |
add missing #include <string.h>; ok tb@
|
| #
1b7b92c5 |
| 21-Oct-2021 |
tb <tb@openbsd.org> |
Eliminate a dead assignment and a weird cast. Adjust a comment to
reality while there.
ok jsing
|
| #
5beec0e2 |
| 01-Jun-2021 |
tb <tb@openbsd.org> |
Update RFC reference. RFC 4366 was obsoleted by RFC 6066.
|
| #
bac16b51 |
| 01-Jun-2021 |
tb <tb@openbsd.org> |
Avoid sending a trailing dot in SNI as a client
While an FQDN includes a trailing dot for the zero-length label of
the root, SNI explicitly does not contain it. Contrary to other TLS
implementations
Avoid sending a trailing dot in SNI as a client
While an FQDN includes a trailing dot for the zero-length label of
the root, SNI explicitly does not contain it. Contrary to other TLS
implementations, our tlsext_sni_is_valid_hostname() rejects a trailing
dot. The result is that LibreSSL TLS servers encountering an SNI with
trailing dot abort the connection with an illegal_parameter alert.
This fixes an issue reported by danj in nc(1) and by sthen in ftp(1).
DNS cluebat from florian.
ok jsing
show more ...
|
| #
b9573a74 |
| 19-Mar-2018 |
jsing <jsing@openbsd.org> |
Automatically handle library initialisation for libtls.
Now that we have tls_init() under pthread_once(), automatically initialise
libtls from the entry point functions (tls_config(), tls_client() a
Automatically handle library initialisation for libtls.
Now that we have tls_init() under pthread_once(), automatically initialise
libtls from the entry point functions (tls_config(), tls_client() and
tls_server()) - this makes an explicit tls_init() call no longer a
requirement.
ok bcook@ beck@ inoguchi@
show more ...
|
| #
0dd084b9 |
| 10-Feb-2018 |
jsing <jsing@openbsd.org> |
Add support to libtls for client-side TLS session resumption.
A libtls client can specify a session file descriptor (a regular file
with appropriate ownership and permissions) and libtls will manage
Add support to libtls for client-side TLS session resumption.
A libtls client can specify a session file descriptor (a regular file
with appropriate ownership and permissions) and libtls will manage reading
and writing of session data across TLS handshakes.
Discussed at length with deraadt@ and tedu@.
Rides previous minor bump.
ok beck@
show more ...
|
| #
4896de1e |
| 10-Aug-2017 |
jsing <jsing@openbsd.org> |
Add a tls_config_set_ecdhecurves() function to libtls, which allows the
names of the elliptic curves that may be used during client and server
key exchange to be specified.
This deprecates tls_confi
Add a tls_config_set_ecdhecurves() function to libtls, which allows the
names of the elliptic curves that may be used during client and server
key exchange to be specified.
This deprecates tls_config_set_ecdhecurve(), which could only be used to
specify a single supported curve.
ok beck@
show more ...
|
| #
d5f88726 |
| 07-May-2017 |
jsing <jsing@openbsd.org> |
Ensure that a client context has been connected before attempting to
complete a TLS handshake.
|
| #
5f3c5205 |
| 10-Apr-2017 |
jsing <jsing@openbsd.org> |
Rework name verification code so that a match is indicated via an argument,
rather than return codes. More strictly follow RFC 6125, in particular only
check the CN if there are no SAN identifiers pr
Rework name verification code so that a match is indicated via an argument,
rather than return codes. More strictly follow RFC 6125, in particular only
check the CN if there are no SAN identifiers present in the certificate
(per section 6.4.4).
Previous behaviour questioned by Daniel Stenberg <daniel at haxx dot se>.
ok beck@ jca@
show more ...
|
| #
5a752462 |
| 26-Jan-2017 |
jsing <jsing@openbsd.org> |
Use a flag to track when we need to call SSL_shutdown(). This avoids an
issue where by calling tls_close() on a TLS context that has not attempted
a handshake, results in an unexpected failure.
Repo
Use a flag to track when we need to call SSL_shutdown(). This avoids an
issue where by calling tls_close() on a TLS context that has not attempted
a handshake, results in an unexpected failure.
Reported by Vinay Sajip.
ok beck@
show more ...
|
| #
59bda8be |
| 12-Jan-2017 |
jsing <jsing@openbsd.org> |
If tls_set_cbs() fails an error will already be specified, so do not
replace it with a less specific one.
|
| #
888c565e |
| 26-Dec-2016 |
jsing <jsing@openbsd.org> |
Hook up a certificate verify callback so that we can set user friendly
error messages, instead of libssl error strings. This gives us messages
like:
certificate verification failed: certificate ha
Hook up a certificate verify callback so that we can set user friendly
error messages, instead of libssl error strings. This gives us messages
like:
certificate verification failed: certificate has expired
Instead of:
14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
This also lets us always enable peer verification since the no verification
case is now handled via the callback.
Tested by tedu@
ok beck@
show more ...
|
| #
2dc6b4e4 |
| 02-Nov-2016 |
beck <beck@openbsd.org> |
Add OCSP client side support to libtls.
- Provide access to certificate OCSP URL
- Provide ability to check a raw OCSP reply against an
established TLS ctx
- Check and validate OCSP sta
Add OCSP client side support to libtls.
- Provide access to certificate OCSP URL
- Provide ability to check a raw OCSP reply against an
established TLS ctx
- Check and validate OCSP stapling info in the TLS handshake
if a stapled OCSP response is provided.`
Add example code to show OCSP URL and stapled info
into netcat.
ok jsing@
show more ...
|
| #
2233a86c |
| 04-Sep-2016 |
jsing <jsing@openbsd.org> |
Maintain consistency with function naming.
|
| #
ed19021f |
| 04-Sep-2016 |
bcook <bcook@openbsd.org> |
Add callback-based interface to libtls.
This allows working with buffers and callback functions instead of directly on
sockets or file descriptors.
Original patch from Tobias Pape <tobias_at_netshed
Add callback-based interface to libtls.
This allows working with buffers and callback functions instead of directly on
sockets or file descriptors.
Original patch from Tobias Pape <tobias_at_netshed.de>.
ok beck@
show more ...
|
| #
b7f318e7 |
| 15-Aug-2016 |
jsing <jsing@openbsd.org> |
Explicitly pass in an SSL_CTX * to the functions that operate on one,
instead of assuming that they should use the one associated with the TLS
context. This allows these functions to be used with the
Explicitly pass in an SSL_CTX * to the functions that operate on one,
instead of assuming that they should use the one associated with the TLS
context. This allows these functions to be used with the additional
SSL contexts that are needed to support server-side SNI.
Also rename tls_configure_keypair() to tls_configure_ssl_keypair(), so that
these functions have a common prefix.
ok reyk@
show more ...
|
| #
1fe9fea1 |
| 28-Apr-2016 |
jsing <jsing@openbsd.org> |
Factor our the keypair handling in libtls. This results in more readable
and self-contained code, while preparing for the ability to handle
multiple keypairs. Also provide two additional functions th
Factor our the keypair handling in libtls. This results in more readable
and self-contained code, while preparing for the ability to handle
multiple keypairs. Also provide two additional functions that allow
a public certificate and private key to be set with a single function
call.
ok beck@
show more ...
|
| #
f053eeae |
| 09-Oct-2015 |
deraadt <deraadt@openbsd.org> |
fix a gotcha in the connect refactoring, that could result in dropping
through and trying to bind failed v6 connects.
ok guenther
|
| #
e3007dfe |
| 08-Oct-2015 |
guenther <guenther@openbsd.org> |
If getaddrinfo() succeeds, then don't try look ups with other flags, even
if the connect()s failed. In concert with some resolver fixes in libc,
this lets ntpd be tame()ed
problem isolated by theo,
If getaddrinfo() succeeds, then don't try look ups with other flags, even
if the connect()s failed. In concert with some resolver fixes in libc,
this lets ntpd be tame()ed
problem isolated by theo, who had fun untangling the libc and libtls
behaviors to place blame for not being able to tame ntpd
ok beck@ deraadt@ jsing@
show more ...
|
| #
fc5c813d |
| 29-Sep-2015 |
jsing <jsing@openbsd.org> |
Instead of declaring a union in multiple places, move it to tls_internal.h.
ok deraadt@
|
| #
810e306d |
| 29-Sep-2015 |
deraadt <deraadt@openbsd.org> |
clean some ugly intendation warts
|
| #
9ba095aa |
| 12-Sep-2015 |
jsing <jsing@openbsd.org> |
Ensure that we clear the libssl error stack before we make a function call
that we will pass the result through tls_ssl_error() on failure. Otherwise
we can end up reporting spurious errors due to th
Ensure that we clear the libssl error stack before we make a function call
that we will pass the result through tls_ssl_error() on failure. Otherwise
we can end up reporting spurious errors due to their being unrelated errors
already on the error stack.
Spotted by Marko Kreen.
ok beck@
show more ...
|
| #
0fb5de82 |
| 11-Sep-2015 |
beck <beck@openbsd.org> |
add tls_peer functions for checking names and issuers of peer certificates.
ok jsing@
|