pod2man now complains when item tags are not sequential.
Also complains about missing =back and other tags.
Silence the warnings; most were already done.
Reviewed-by: Tim Hudson <tjh@openssl.org>
The description of when the server creates a DH key is
confusing. This cleans it up.
(rsalz: also removed trailing whitespace.)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
In two OpenSSL manual pages, in the NAME section, the last word of the
name list is followed by a stray trailing comma. While this may seem
minor, it is worth fixing because it may confuse some makewhatis(8)
implementations.
While here, also add the missing word "size" to the one line
description in SSL_CTX_set_max_cert_list(3).
Reviewed by: Dr Stephen Henson <shenson@drh-consultancy.co.uk>
Add TLS padding extension to SSL_OP_ALL so it is used with other
"bugs" options and can be turned off.
This replaces SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG which is an ancient
option referring to SSLv2 and SSLREF.
PR#3336
Don't clear verification errors from the error queue unless
SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR is set.
If errors occur during verification and SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR
is set return 2 so applications can issue warnings.
(cherry picked from commit 2dd6976f6d)
New flags to build certificate chains. The can be used to rearrange
the chain so all an application needs to do is add all certificates
in arbitrary order and then build the chain to check and correct them.
Add verify error code when building chain.
Update docs.
New ctrl sets current certificate based on certain criteria. Currently
two options: set the first valid certificate as current and set the
next valid certificate as current. Using these an application can
iterate over all certificates in an SSL_CTX or SSL structure.
PR#3169
This patch, which currently applies successfully against master and
1_0_2, adds the following functions:
SSL_[CTX_]select_current_cert() - set the current certificate without
disturbing the existing structure.
SSL_[CTX_]get0_chain_certs() - get the current certificate's chain.
SSL_[CTX_]clear_chain_certs() - clear the current certificate's chain.
The patch also adds these functions to, and fixes some existing errors
in, SSL_CTX_add1_chain_cert.pod.
This fixes problems in POD list formatting: extra or missing =back
sequences.
doc/ssl/SSL_CTX_set1_curves.pod around line 90: =back without =over
doc/ssl/SSL_CTX_set1_verify_cert_store.pod around line 73: =back without =over
doc/ssl/SSL_CTX_add1_chain_cert.pod around line 82: =back without =over
doc/crypto/evp.pod around line 40: '=item' outside of any '=over'
crypto/des/des.pod around line 184: You forgot a '=back' before '=head1'
PR#3147
Newer pod2man considers =item [1-9] part of a numbered list, while =item
0 starts an unnumbered list. Add a zero effect formatting mark to override
this.
doc/apps/smime.pod around line 315: Expected text after =item, not a
number
...
PR#3146
PR#3071
The primary changes made are:
- Updates to the "NAME" section of many pages to correctly reflect the
functions defined on those pages. This section is automatically parsed
by the util/extract-names.pl script, so if it is not correct then
running "man" will not correctly locate the right manual pages.
- Updates to take account of where functions are now deprecated
- Full documentation of the ec sub-library
- A number of other typo corrections and other minor tweaks
podlators 2.5.0 has switched to dying on POD syntax errors. This means
that a bunch of long-standing erroneous POD in the openssl documentation
now leads to fatal errors from pod2man, halting installation.
Unfortunately POD constraints mean that you have to sort numeric lists
in ascending order if they start with 1: you cannot do 1, 0, 2 even if
you want 1 to appear first. I've reshuffled such (alas, I wish there
were a better way but I don't know of one).
directly by SSL/TLS SHA2 certificates are becoming more common and
applications that only call SSL_library_init() and not
OpenSSL_add_all_alrgorithms() will fail when verifying certificates.
Update docs.
initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway.
relates to SSL_CTX flags and the use of "external" session caching. The
existing flag, "SSL_SESS_CACHE_NO_INTERNAL_LOOKUP" remains but is
supplemented with a complimentary flag, "SSL_SESS_CACHE_NO_INTERNAL_STORE".
The bitwise OR of the two flags is also defined as
"SSL_SESS_CACHE_NO_INTERNAL" and is the flag that should be used by most
applications wanting to implement session caching *entirely* by its own
provided callbacks. As the documented behaviour contradicted actual
behaviour up until recently, and since that point behaviour has itself been
inconsistent anyway, this change should not introduce any compatibility
problems. I've adjusted the relevant documentation to elaborate about how
this works.
Kudos to "Nadav Har'El" <nyh@math.technion.ac.il> for diagnosing these
anomalies and testing this patch for correctness.
PR: 311
New macros SSL[_CTX]_set_msg_callback_arg().
Message callback imlementation for SSL 3.0/TLS 1.0 (no SSL 2.0 yet).
New '-msg' option for 'openssl s_client' and 'openssl s_server'
that enable a message callback that displays all protocol messages.
In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert if
client_version is smaller than the protocol version in use.
Also change ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0
if the client demanded SSL 3.0 but only TLS 1.0 is enabled; then the
client will at least see that alert.
Fix SSL[_CTX]_ctrl prototype (void * instead of char * for generic
pointer).
Add/update some OpenSSL copyright notices.
From: "Chris D. Peterson" <cpeterson@aventail.com>
Subject: Implementation Issues with OpenSSL
To: openssl-users@openssl.org
Date: Wed, 22 Aug 2001 16:13:17 -0700
The patch included in the original post may improve the internal session
list handling (and is therefore worth a seperate investigation).
No change to the list handling will however solve the problems of incorrect
SSL_SESSION_free() calls. The session list is only one possible point of
failure, dangling pointers would also occur for SSL object currently
using the session. The correct solution is to only use SSL_SESSION_free()
when applicable!