| #
7a756d37 |
| 26-Mar-2024 |
joshua <joshua@openbsd.org> |
Add error code support to libtls
This adds tls_config_error_code() and tls_error_code(), which will become
public API at a later date.
Additional error codes will be added in follow-up commits.
ok
Add error code support to libtls
This adds tls_config_error_code() and tls_error_code(), which will become
public API at a later date.
Additional error codes will be added in follow-up commits.
ok jsing@ beck@
show more ...
|
| #
ac059987 |
| 24-Mar-2024 |
beck <beck@openbsd.org> |
Convert libressl to use the BoringSSL style time conversions
This gets rid of our last uses of timegm and gmtime in the
library and things that ship with it. It includes a bit
of refactoring in ocsp
Convert libressl to use the BoringSSL style time conversions
This gets rid of our last uses of timegm and gmtime in the
library and things that ship with it. It includes a bit
of refactoring in ocsp_cl.c to remove some obvious ugly.
ok tb@
show more ...
|
| #
7a62ab42 |
| 13-Nov-2023 |
tb <tb@openbsd.org> |
Remove last caller of ASN1_time_parse(3) in libtls
This one is slightly annoying since ASN1_TIME_to_tm(3) doesn't provide a
direct check for a GeneralizedTime, so call ASN1_GENERALIZEDTIME_check()
a
Remove last caller of ASN1_time_parse(3) in libtls
This one is slightly annoying since ASN1_TIME_to_tm(3) doesn't provide a
direct check for a GeneralizedTime, so call ASN1_GENERALIZEDTIME_check()
as well. This means LibreSSL parses the time twice. Shrug.
ok beck
show more ...
|
| #
e6d77be9 |
| 14-May-2023 |
op <op@openbsd.org> |
add missing #include <string.h>; ok tb@
|
| #
582d7f0c |
| 31-Oct-2021 |
tb <tb@openbsd.org> |
Simplify some code by using X509_STORE_CTX_get_obj_by_subject()
ok beck jsing
|
| #
c50c1c53 |
| 21-Oct-2021 |
tb <tb@openbsd.org> |
libtls: Don't reach into X509_STORE_CTX.
ok jsing
|
| #
cf2dac91 |
| 23-Mar-2021 |
tb <tb@openbsd.org> |
OCSP_basic_verify() doesn't set errno, so use tls_set_errorx()
ok inoguchi
|
| #
83718595 |
| 03-Dec-2019 |
tb <tb@openbsd.org> |
Add missing RCS tag.
|
| #
a38d3b9a |
| 05-Feb-2018 |
jsing <jsing@openbsd.org> |
Do not bother NULLing pointers in memory that is freed immediately after.
|
| #
7add217b |
| 05-Feb-2018 |
jsing <jsing@openbsd.org> |
Be consistent with the goto label names used in libtls code.
No change to generated assembly.
|
| #
9ee433b9 |
| 20-Sep-2017 |
jsing <jsing@openbsd.org> |
Keep track of which keypair is in use by a TLS context.
This fixes a bug where by a TLS server with SNI would always only return
the OCSP staple for the default keypair, rather than returning the OC
Keep track of which keypair is in use by a TLS context.
This fixes a bug where by a TLS server with SNI would always only return
the OCSP staple for the default keypair, rather than returning the OCSP
staple associated with the keypair that was selected via SNI.
Issue reported by William Graeber and confirmed by Andreas Bartelt.
Fix tested by William Graeber and Andreas Bartelt - thanks!
show more ...
|
| #
f4abe18a |
| 20-Sep-2017 |
jsing <jsing@openbsd.org> |
Slightly restructure tls_ocsp_verify_cb() to make it more like libtls code.
|
| #
30a2bc87 |
| 20-Sep-2017 |
jsing <jsing@openbsd.org> |
Provide a useful error if there are no OCSP URLs in the peer certificate.
|
| #
97aaf95e |
| 20-Sep-2017 |
jsing <jsing@openbsd.org> |
Fix indentation.
|
| #
571083c2 |
| 16-May-2017 |
claudio <claudio@openbsd.org> |
Plug a memory leak. The main_cert needs to be X509_free()ed since
SSL_get_peer_certificate() increases the ref count whereas extra_certs
do not because SSL_get_peer_cert_chain() won't increase ref co
Plug a memory leak. The main_cert needs to be X509_free()ed since
SSL_get_peer_certificate() increases the ref count whereas extra_certs
do not because SSL_get_peer_cert_chain() won't increase ref counts.
OK beck@
show more ...
|
| #
9d519145 |
| 29-Jan-2017 |
beck <beck@openbsd.org> |
Move the ocsp staple to being part of the keypair structure internally,
so that it does not send back bogus staples when SNI is in use.
(Further change is required to be able to use staples on all ke
Move the ocsp staple to being part of the keypair structure internally,
so that it does not send back bogus staples when SNI is in use.
(Further change is required to be able to use staples on all keypairs
and not just the main one)
ok jsing@
show more ...
|
| #
757ef573 |
| 27-Jan-2017 |
tom <tom@openbsd.org> |
More s/OSCP/OCSP/ typos
ok jmc@
|
| #
668bec95 |
| 05-Nov-2016 |
beck <beck@openbsd.org> |
Add support for server side OCSP stapling to libtls.
Add support for server side OCSP stapling to netcat.
|
| #
6ffc3042 |
| 05-Nov-2016 |
beck <beck@openbsd.org> |
rename ocsp_ctx to ocsp
ok jsing@
|
| #
e07eb418 |
| 04-Nov-2016 |
beck <beck@openbsd.org> |
make public ASN1_time_parse and ASN1_time_tm_cmp to replace former hidden
functions.. document with a man page.
bump majors on libtls, libssl, libcrypto
ok jsing@ guenther@
|
| #
69013f12 |
| 04-Nov-2016 |
beck <beck@openbsd.org> |
Add ocsp_require_stapling config option for tls - allows a connection
to indicate that it requires the peer to provide a stapled OCSP response
with the handshake. Provide a "-T muststaple" for nc th
Add ocsp_require_stapling config option for tls - allows a connection
to indicate that it requires the peer to provide a stapled OCSP response
with the handshake. Provide a "-T muststaple" for nc that uses it.
ok jsing@, guenther@
show more ...
|
| #
9d4c37a0 |
| 03-Nov-2016 |
beck <beck@openbsd.org> |
Don't do OCSP validation when we have disabled certificate verification
or certificate validation.
ok jsing@
|
| #
dc1b668a |
| 03-Nov-2016 |
beck <beck@openbsd.org> |
Fix handshake failures:
split out internals of OCSP verification to allow callback
to verify before TLS handshake is complete
|
| #
03ab11ef |
| 02-Nov-2016 |
beck <beck@openbsd.org> |
fix shadow declaration of time in parameter list.
ok jsing@
|
| #
2baedc91 |
| 02-Nov-2016 |
beck <beck@openbsd.org> |
Ensure handshake is complete before processing an ocsp response for a ctx
ok jsing@
|