mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2024-12-27 03:20:22 +08:00
Code Issues Packages Projects Releases Wiki Activity
23,406 Commits 38 Branches 307 Tags 74 MiB
a40f6bff89
Commit Graph

72 Commits

Author SHA1 Message Date
Quanah Gibson-Mount
61f619043e ITS#8580 - Explicitly honor the server side cipher suite preference 2021-01-28 20:22:50 +00:00
Quanah Gibson-Mount
efaf9a4a17 Happy New Year! 2021-01-11 19:25:53 +00:00
Howard Chu
536767798b ITS#9054 fix typo 2020-08-27 11:22:58 +01:00
Quanah Gibson-Mount
c1411b8199 ITS#9323 - Limit to OpenSSL 1.0.2 or later 2020-08-25 21:52:04 +00:00
Howard Chu
608a822349 ITS#9318 add TLS_REQSAN option 
Add an option to specify how subjectAlternativeNames should be
handled when validating the names in a server certificate.
 2020-08-21 18:05:08 +00:00
Howard Chu
2386a11649 ITS#9054 Add support for multiple EECDH curves 
Requires OpenSSL 1.0.2 or newer
 2020-08-21 07:58:07 +01:00
Howard Chu
4265849b0f ITS#9176 check for failure setting SNI 2020-04-27 18:54:02 +01:00
Howard Chu
b8f34888c3 ITS#9176 check for numeric addrs before passing SNI 2020-04-27 18:25:49 +01:00
Howard Chu
5c0efb9ce8 ITS#9176 Add TLS SNI support to libldap 
Implemented for OpenSSL, GnuTLS just stubbed
 2020-04-27 03:41:12 +01:00
Isaac Boukris
4c545ee078 ITS#9242 - ifdef tls-endpoint code in openssl pre 0.9.8 2020-04-25 22:50:52 +02:00
Isaac Boukris
3cd50fa8b3 ITS#9189 rework sasl-cbinding support 
Add LDAP_OPT_X_SASL_CBINDING option to define the binding type to use,
defaults to "none".

Add "tls-endpoint" binding type implementing "tls-server-end-point" from
RCF 5929, which is compatible with Windows.

Fix "tls-unique" to include the prefix in the bindings as per RFC 5056.
 2020-04-23 21:00:39 +02:00
Quanah Gibson-Mount
8505f774a5 Update to drop NON_BLOCKING ifdefs that were only really for moznss 2020-04-20 21:38:01 +00:00
Quanah Gibson-Mount
f6ad222e41 Happy New Year! 2020-01-09 16:50:21 +00:00
Ondřej Kuzník
aba073e171 ITS#8980 Actually return the computed status 2019-03-19 16:46:03 +00:00
Vernon Smith
8158888085 ITS#8980 fix async connections with non-blocking TLS 2019-02-28 17:02:40 +00:00
Ondřej Kuzník
09cec1f1b4 ITS#8731 Apply doc/devel/variadic_debug/03-libldap_Debug.cocci 2019-02-15 16:51:53 +00:00
Quanah Gibson-Mount
b45a6a7dc7 Happy New Year! 2019-01-14 18:46:16 +00:00
Howard Chu
d3b1558dcb ITS#8353 CRYPTO_set_id_callback deprecated in OpenSSL 0.9.9 2019-01-02 10:16:40 +00:00
Howard Chu
d7a778004b ITS#8809 add missing includes 2018-09-21 18:42:34 +01:00
Quanah Gibson-Mount
59e9ff6243 Happy New Year 2018-03-22 15:35:24 +00:00
Howard Chu
650b4822ce Avoid unnecessary C99 initializers 2018-01-25 15:40:26 +00:00
Howard Chu
f09ffffcbd Cleanup warnings 2018-01-25 15:36:00 +00:00
Bradley Baetz
e5ee07785e ITS#8791 fix OpenSSL 1.1.1 BIO_method compat 
Use the new methods unconditionally, define helper functions for older versions.
 2018-01-25 15:28:51 +00:00
Quanah Gibson-Mount
f5da6638ec ITS#8753, ITS#8774 - Fix compilation with older versions of OpenSSL 2017-11-17 14:30:45 -08:00
Ondřej Kuzník
8e34ed8c78 ITS#8753 Public key pinning support in libldap 2017-11-13 17:24:49 +00:00
Josh Soref
10566c8be3 ITS#8605 - spelling fixes 
* javascript
* kernel
* ldap
* length
* macros
* maintained
* manager
* matching
* maximum
* mechanism
* memory
* method
* mimic
* minimum
* modifiable
* modifiers
* modifying
* multiple
* necessary
* normalized
* objectclass
* occurrence
* occurring
* offered
* operation
* original
* overridden
* parameter
* permanent
* preemptively
* printable
* protocol
* provider
* really
* redistribution
* referenced
* refresh
* regardless
* registered
* request
* reserved
* resource
* response
* sanity
* separated
* setconcurrency
* should
* specially
* specifies
* structure
* structures
* subordinates
* substitution
* succeed
* successful
* successfully
* sudoers
* sufficient
* superiors
* supported
* synchronization
* terminated
* they're
* through
* traffic
* transparent
* unsigned
* unsupported
* version
* absence
* achieves
* adamson
* additional
* address
* against
* appropriate
* architecture
* associated
* async
* attribute
* authentication
* authorized
* auxiliary
* available
* begin
* beginning
* buffered
* canonical
* certificate
* charray
* check
* class
* compatibility
* compilation
* component
* configurable
* configuration
* configure
* conjunction
* constraints
* constructor
* contained
* containing
* continued
* control
* convenience
* correspond
* credentials
* cyrillic
* database
* definitions
* deloldrdn
* dereferencing
* destroy
* distinguish
* documentation
* emmanuel
* enabled
* entry
* enumerated
* everything
* exhaustive
* existence
* existing
* explicitly
* extract
* fallthru
* fashion
* february
* finally
* function
* generically
* groupname
* happened
* implementation
* including
* initialization
* initializes
* insensitive
* instantiated
* instantiation
* integral
* internal
* iterate
 2017-10-11 14:39:38 -07:00
Quanah Gibson-Mount
35a880c53e ITS#8687 - EGD is disabled by default in OpenSSL 1.1. We need to comment out this block if it is not detected. Particularly affects cross compilation. 2017-10-06 13:48:40 -07:00
Howard Chu
2e011eeb67 Fixup cacert option 2017-04-09 15:39:13 +01:00
Howard Chu
b402a2805f Add options to use DER format cert+keys directly 
Instead of loading from files.
 2017-04-09 00:13:42 +01:00
Quanah Gibson-Mount
eb8f1a7247 ITS#8353, ITS#8533 - Cleanup for libldap_r 2017-04-07 13:39:11 -07:00
Quanah Gibson-Mount
6ced84af79 ITS#8353, ITS#8533 - Fix libldap_r compilation 2017-04-06 15:12:02 -07:00
Quanah Gibson-Mount
01cbb7f4c6 ITS#8353, ITS#8533 - Ensure that the deprecated API is not used when using OpenSSL 1.1 or later 2017-04-06 11:47:06 -07:00
Howard Guo
4962dd6083 ITS#8529 Avoid hiding the error if user specified CA does not load 
The TLS configuration deliberately hid the error in case that
user specified CA locations cannot be read, by loading CAs from default
locations; and when user does not specify CA locations, the CAs from default
locations are not read at all.

This patch corrects the behaviour so that CAs from default location are used
if user does not specify a CA location, and user is informed of the error if
CAs cannot be loaded from the user specified location.
 2017-02-22 09:56:17 -08:00
Howard Chu
2bf650d95e ITS#8533 OpenSSL 1.1.0c compat 2017-01-11 14:12:45 +00:00
Quanah Gibson-Mount
1df85d3427 Happy New Year! 2017-01-03 12:36:47 -08:00
Howard Chu
6bb6d5e3c6 ITS#8353 more for OpenSSL 1.1 compat 
tmp_rsa callback has been removed from OpenSSL 1.1
Use new X509_NAME accessor function to retrieve DER bytes
 2016-01-31 03:29:28 +00:00
Quanah Gibson-Mount
6c4d6c880b Happy New Year! 2016-01-29 13:32:05 -06:00
Howard Chu
f3a7bf79db ITS#8353 partial fix 
Use newly added SSL_CTX_up_ref()
Still waiting for X509_NAME accessor
 2016-01-26 18:06:46 +00:00
Howard Chu
f2d0aa7d22 ITS#8353 partial fixes 
ERR_remove_state() is deprecated since OpenSSL 1.0.0
Use X509_NAME_ENTRY_get_object() instead of direct access.
 2016-01-21 18:05:42 +00:00
Quanah Gibson-Mount
1705fa7e55 Happy New Year 2015-02-11 15:36:57 -06:00
Kurt Zeilenga
5c878c1bf2 Happy new year (belated) 2014-01-25 05:21:25 -08:00
Howard Chu
16f8b0902c ITS#7398 add LDAP_OPT_X_TLS_PEERCERT 
retrieve peer cert for an active TLS session
 2013-09-10 04:31:39 -07:00
Howard Chu
721e46fe66 ITS#7595 don't try to use EC if OpenSSL lacks it 2013-09-08 06:32:23 -07:00
Howard Chu
7d6d6944c5 ITS#7683 log tls prot/cipher info 
Note: I could not test the MozNSS patch due to the absence of
NSS PEM support on my machine. Given the review comments in
https://bugzilla.mozilla.org/show_bug.cgi?id=402712 I doubt that
trustworthy PEM support will be appearing for MozNSS any time soon.
 2013-09-07 12:22:09 -07:00
Howard Chu
e631ce808e ITS#7595 Add Elliptic Curve support for OpenSSL 2013-09-07 09:47:40 -07:00
Howard Chu
cfeb28412c ITS#7506 fix prev commit 
The patch unconditionally enabled DHparams, which is a significant
change of behavior. Reverting to previous behavior, which only enables
DH use if a DHparam file was configured.
 2013-09-07 06:39:53 -07:00
Ben Jencks
6f120920d3 ITS#7506 tls_o.c: Fix Diffie-Hellman parameter usage. 
If a DHParamFile or olcDHParamFile is specified, then it will be used,
otherwise a hardcoded 1024 bit parameter will be used. This allows the use of
larger parameters; previously only 512 or 1024 bit parameters would ever be
used.
 2013-09-07 06:33:39 -07:00
Howard Chu
ca310ebff4 Add channel binding support 
Currently only implemented for OpenSSL.
Needs an option to set the criticality flag.
 2013-08-26 23:31:48 -07:00
Philip Guenther
c6cf495247 ITS#7645 more OpenSSL TLS versions 2013-07-29 07:01:15 -07:00
Kurt Zeilenga
0fd1bf30b8 Happy New Year 2013-01-02 10:22:57 -08:00