Dr. Stephen Henson
e6f418bcb7
Compression handling on session resume was badly broken: it always
...
used compression algorithms in client hello (a legacy from when
the compression algorithm wasn't serialized with SSL_SESSION).
2009-12-31 14:13:30 +00:00
Dr. Stephen Henson
76774c5ea1
return v1.1 methods for client/server
2009-12-28 00:31:16 +00:00
Dr. Stephen Henson
73527122c9
Typo
2009-12-27 23:02:50 +00:00
Dr. Stephen Henson
d68015764e
Update RI to match latest spec.
...
MCSV is now called SCSV.
Don't send SCSV if renegotiating.
Also note if RI is empty in debug messages.
2009-12-27 22:58:55 +00:00
Dr. Stephen Henson
fbed9f8158
Alert to use is now defined in spec: update code
2009-12-17 15:42:52 +00:00
Dr. Stephen Henson
ef51b4b9b4
New option to enable/disable connection to unpatched servers
2009-12-16 20:25:59 +00:00
Dr. Stephen Henson
c27c9cb4f7
Allow initial connection (but no renegoriation) to servers which don't support
...
RI.
Reorganise RI checking code and handle some missing cases.
2009-12-14 13:56:04 +00:00
Dr. Stephen Henson
22c2155595
Move SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION out of SSL_OP_ALL and move SSL_OP_NO_TLSv1_1
2009-12-11 00:23:12 +00:00
Dr. Stephen Henson
a8640f0a7d
Check s3 is not NULL
2009-12-09 15:03:44 +00:00
Dr. Stephen Henson
338a61b94e
Add patch to crypto/evp which didn't apply from PR#2124
2009-12-09 15:01:39 +00:00
Dr. Stephen Henson
7661ccadf0
Add ctrls to clear options and mode.
...
Change RI ctrl so it doesn't clash.
2009-12-09 13:25:16 +00:00
Dr. Stephen Henson
82e610e2cf
Send no_renegotiation alert as required by spec.
2009-12-08 19:06:26 +00:00
Dr. Stephen Henson
5430200b8b
Add ctrl and macro so we can determine if peer support secure renegotiation.
2009-12-08 13:42:08 +00:00
Dr. Stephen Henson
13f6d57b1e
Add support for magic cipher suite value (MCSV). Make secure renegotiation
...
work in SSLv3: initial handshake has no extensions but includes MCSV, if
server indicates RI support then renegotiation handshakes include RI.
NB: current MCSV value is bogus for testing only, will be updated when we
have an official value.
Change mismatch alerts to handshake_failure as required by spec.
Also have some debugging fprintfs so we can clearly see what is going on
if OPENSSL_RI_DEBUG is set.
2009-12-08 13:14:03 +00:00
Dr. Stephen Henson
8025e25113
PR: 2121
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Add extension support to DTLS code mainly using existing implementation for
TLS.
2009-12-08 11:37:40 +00:00
Dr. Stephen Henson
637f374ad4
Initial experimental TLSv1.1 support
2009-12-07 13:31:02 +00:00
Dr. Stephen Henson
7f354fa42d
Ooops...
2009-12-01 18:40:50 +00:00
Dr. Stephen Henson
6732e14278
check DSA_sign() return value properly
2009-12-01 18:39:33 +00:00
Dr. Stephen Henson
499684404c
PR: 2115
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org
Add Renegotiation extension to DTLS, fix DTLS ClientHello processing bug.
2009-12-01 17:42:15 +00:00
Dr. Stephen Henson
6cef3a7f9c
Servers can't end up talking SSLv2 with legacy renegotiation disabled
2009-11-18 15:09:44 +00:00
Dr. Stephen Henson
4d09323a63
Don't use SSLv2 compatible client hello if we don't tolerate legacy renegotiation
2009-11-18 14:45:48 +00:00
Dr. Stephen Henson
64abf5e657
Include a more meaningful error message when rejecting legacy renegotiation
2009-11-18 14:20:21 +00:00
Richard Levitte
0a02d1db34
Update from 1.0.0-stable
2009-11-12 17:03:10 +00:00
Dr. Stephen Henson
860c3dd1b6
add missing parts of reneg port, fix apps patch
2009-11-11 14:51:19 +00:00
Dr. Stephen Henson
e0e7997212
First cut of renegotiation extension. (port to HEAD)
2009-11-09 19:03:34 +00:00
Dr. Stephen Henson
7ba3838a4b
If it is a new session don't send the old TLS ticket: send a zero length
...
ticket to request a new session.
2009-11-08 14:36:12 +00:00
Dr. Stephen Henson
4398222457
Ooops, revert committed conflict.
2009-11-07 22:22:40 +00:00
Dr. Stephen Henson
71af26b57b
PR: 2089
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org
DTLS Fragment size bug fix.
2009-11-02 13:38:22 +00:00
Dr. Stephen Henson
4b4ba6a887
Generate stateless session ID just after the ticket is received instead
...
of when a session is loaded. This will mean that applications that
just hold onto SSL_SESSION structures and never call d2i_SSL_SESSION()
will still work.
2009-10-30 14:06:03 +00:00
Dr. Stephen Henson
661dc1431f
Fix statless session resumption so it can coexist with SNI
2009-10-30 13:22:24 +00:00
Dr. Stephen Henson
213f08a65a
Don't attempt session resumption if no ticket is present and session
...
ID length is zero.
2009-10-28 19:52:18 +00:00
Dr. Stephen Henson
3e24d43931
oops!
2009-10-28 19:50:59 +00:00
Dr. Stephen Henson
b57329ba90
PR: 2085
...
Submitted by: Mike Frysinger <vapier@gentoo.org>
Approved by: steve@openssl.org
Change domd test to match 1.0.0+ version: check $MAKEDEPEND
ends in "gcc" to support cross compilers.
2009-10-28 19:48:09 +00:00
Dr. Stephen Henson
c6bec6ef0d
PR: 2072
...
Submitted by: Tomas Mraz <tmraz@redhat.com>
Approved by: steve@openssl.org
Avoid potential doublefree and reuse of freed handshake_buffer.
2009-10-16 15:24:07 +00:00
Dr. Stephen Henson
7c3908dd19
PR: 2073
...
Submitted by: Tomas Mraz <tmraz@redhat.com>
Approved by: steve@openssl.org
Don't access freed SSL_CTX in SSL_free().
2009-10-16 13:41:39 +00:00
Dr. Stephen Henson
04f9095d9e
Fix unitialized warnings
2009-10-04 16:52:51 +00:00
Dr. Stephen Henson
d4778ae47e
PR: 2055
...
Submitted by: Julia Lawall <julia@diku.dk>
Approved by: steve@openssl.org
Correct BIO_ctrl error handling in s2_srvr.c
2009-10-01 00:06:14 +00:00
Dr. Stephen Henson
ff613640e2
PR: 2054
...
Submitted by: Julia Lawall <julia@diku.dk>
Approved by: steve@openssl.org
Correct BIO_ctrl error handling
2009-10-01 00:02:52 +00:00
Dr. Stephen Henson
e9f613acea
PR: 2039
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org
DTLS listen bug fix,
2009-09-15 22:48:57 +00:00
Dr. Stephen Henson
a25f33d28a
Submitted by: Julia Lawall <julia@diku.dk>
...
The functions ENGINE_ctrl(), OPENSSL_isservice(), EVP_PKEY_sign(),
CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error fix
so the return code is checked correctly.
2009-09-13 11:29:29 +00:00
Dr. Stephen Henson
7689ed34d3
PR: 2025
...
Submitted by: Tomas Mraz <tmraz@redhat.com>
Approved by: steve@openssl.org
Constify SSL_CIPHER_description
2009-09-12 23:17:39 +00:00
Dr. Stephen Henson
33130b07ce
PR: 1411
...
Submitted by: steve@openssl.org
Allow use of trusted certificates in SSL_CTX_use_chain_file()
2009-09-12 23:09:45 +00:00
Dr. Stephen Henson
1fc3ac806d
PR: 2033
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org
DTLS listen support.
2009-09-09 17:05:18 +00:00
Dr. Stephen Henson
14b148d390
Typo presumably....
2009-09-06 17:56:30 +00:00
Dr. Stephen Henson
e0d4e97c1a
Make update, deleting bogus DTLS error code
2009-09-06 15:58:19 +00:00
Dr. Stephen Henson
07a9d1a2c2
PR: 2028
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org
Fix DTLS cookie management bugs.
2009-09-04 17:42:53 +00:00
Dr. Stephen Henson
3d9b105fe0
PR: 2009
...
Submitted by: "Alexei Khlebnikov" <alexei.khlebnikov@opera.com>
Approved by: steve@openssl.org
Avoid memory leak and fix error reporting in d2i_SSL_SESSION(). NB: although
the ticket mentions buffer overruns this isn't a security issue because
the SSL_SESSION structure is generated internally and it should never be
possible to supply its contents from an untrusted application (this would
among other things destroy session cache security).
2009-09-02 13:20:32 +00:00
Dr. Stephen Henson
70dc09ebe4
PR: 2022
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org
Fix DTLS record header length bug.
2009-09-02 12:53:52 +00:00
Dr. Stephen Henson
480b9e5d29
PR: 2006
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org
Do not use multiple DTLS records for a single user message
2009-08-26 11:51:57 +00:00
Dr. Stephen Henson
3ed3603b60
Update default dependency flags.
...
Make error name discrepancies a fatal error.
Fix error codes.
make update
2009-08-12 17:30:37 +00:00