Commit graph

962 commits

Author SHA1 Message Date
Hubert Kario
4ceddeea6c backport changes to ciphers(1) man page
Backport of patch:
add ECC strings to ciphers(1), point out difference between DH and ECDH

and backport of other other assorted fixes to this man page

 * Make a clear distinction between DH and ECDH key exchange.
 * Group all key exchange cipher suite identifiers, first DH then ECDH
 * add descriptions for all supported *DH* identifiers
 * add ECDSA authentication descriptions
 * add example showing how to disable all suites that offer no
   authentication or encryption
 * update status of static DH (it's now supported)
 * backport descriptions of AES128, AES256, AESGCM
 * backport descriptions of CAMELLIA128, CAMELLIA256
 * backport listing of standard names for ECC cipher suites
   and TLSv1.2 cipher suites
 * backport description of PSK cipher suites
2014-06-10 20:55:14 +01:00
Matt Caswell
5400882ca3 Fixed minor duplication in docs 2014-06-07 12:31:38 +01:00
Dr. Stephen Henson
623a01df49 Option to disable padding extension.
Add TLS padding extension to SSL_OP_ALL so it is used with other
"bugs" options and can be turned off.

This replaces SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG which is an ancient
option referring to SSLv2 and SSLREF.

PR#3336
(cherry picked from commit 758415b2259fa45d3fe17d8e53ae1341b7b6e482)

Conflicts:

	ssl/t1_lib.c
2014-06-01 16:50:25 +01:00
Matt Caswell
88d3d6c9ae Fixed error in args for SSL_set_msg_callback and SSL_set_msg_callback_arg 2014-05-25 23:47:32 +01:00
Matt Caswell
15e4565984 Fixed minor copy&paste error, and stray space causing rendering problem 2014-05-22 00:11:40 +01:00
Matt Caswell
5757766550 Fixed unterminated B tag, causing build to fail with newer pod2man versions 2014-05-22 00:01:33 +01:00
Viktor Dukhovni
a2219f6be3 Fixes to host checking.
Fixes to host checking wild card support and add support for
setting host checking flags when verifying a certificate
chain.
(cherry picked from commit 397a8e747d)
2014-05-21 11:32:19 +01:00
Dr. Stephen Henson
cd302feb5d Change default cipher in smime app to des3.
PR#3357
(cherry picked from commit ca3ffd9670f2b589bf8cc04923f953e06d6fbc58)
2014-05-21 11:28:57 +01:00
Matt Caswell
a99d2a22e1 Moved note about lack of support for AEAD modes out of BUGS section to SUPPORTED CIPHERS section (bug has been fixed, but still no support for AEAD) 2014-05-15 21:15:21 +01:00
Jeffrey Walton
4907cf0845 Fix grammar error in verify pod. PR#3355 2014-05-14 22:58:19 +01:00
Jeffrey Walton
28b4820f70 Add information to BUGS section of enc documentation. PR#3354 2014-05-14 22:58:19 +01:00
Michal Bozon
72967d5be9 Corrected POD syntax errors. PR#3353 2014-05-14 22:58:19 +01:00
Jean-Paul Calderone
b953b02849 Correct the return type on the signature for X509_STORE_CTX_get_ex_data given in the pod file. 2014-05-12 22:49:00 +01:00
Jeff Trawick
d576146ebf typo in SSL_get_peer_cert_chain docs
RT: 3304
2014-05-02 00:26:05 +01:00
Matt Caswell
1d3f432b53 Fixed various pod errors 2014-05-01 00:07:28 +01:00
Lubomir Rintel
15a4add72d POD: Fix item numbering
Newer pod2man considers =item [1-9] part of a numbered list, while =item
0 starts an unnumbered list. Add a zero effect formatting mark to override
this.

doc/apps/smime.pod around line 315: Expected text after =item, not a
number
...

PR#3146
2014-04-30 23:44:54 +01:00
mancha
e6a01b47e4 Fix version documentation.
Specify -f is for compilation flags. Add -d to synopsis section.

(cherry picked from commit 006397ea62bbcae22c8664d53c2222b808c4bdd1)

Closes #78.
2014-04-26 11:20:00 +01:00
Dr. Stephen Henson
6e85eba11b Document -debug_decrypt option.
(cherry picked from commit 0dd5b94aeb)
2014-04-16 12:35:54 +01:00
Dr. Stephen Henson
9c1d63540f Clarify CMS_decrypt behaviour.
(cherry picked from commit 5f8e9a477a)
2014-04-15 18:19:26 +01:00
Dr. Stephen Henson
db34be4224 Add new key fingerprint.
(cherry picked from commit 3143a332e8)
2014-04-11 02:51:34 +01:00
Dr. Stephen Henson
a4896327e3 Document -verify_return_error option.
(cherry picked from commit 4e6c12f308)
2014-04-07 13:03:54 +01:00
Dr. Stephen Henson
04f35a8909 Document new crl option.
(cherry picked from commit dbb7654dc1)
2014-04-03 13:35:48 +01:00
Dr. Stephen Henson
1f44dac24d Add -no_resumption_on_reneg to SSL_CONF. 2014-03-27 15:51:25 +00:00
Dr. Stephen Henson
2dd6976f6d Update chain building function.
Don't clear verification errors from the error queue unless
SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR is set.

If errors occur during verification and SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR
is set return 2 so applications can issue warnings.
2014-03-27 14:23:46 +00:00
Dr. Stephen Henson
12c56e4888 Sync crypto documentation with master branch. 2014-03-03 15:12:17 +00:00
Dr. Stephen Henson
b60272b01f PKCS#8 support for alternative PRFs.
Add option to set an alternative to the default hmacWithSHA1 PRF
for PKCS#8 private key encryptions. This is used automatically
by PKCS8_encrypt if the nid specified is a PRF.

Add option to pkcs8 utility.

Update docs.
2014-03-01 23:14:08 +00:00
Dr. Stephen Henson
c5ea65b157 New chain building flags.
New flags to build certificate chains. The can be used to rearrange
the chain so all an application needs to do is add all certificates
in arbitrary order and then build the chain to check and correct them.

Add verify error code when building chain.

Update docs.
(cherry picked from commit 13dc3ce9ab)
2014-02-23 13:49:21 +00:00
Dr. Stephen Henson
58b86e4235 Option to set current cert to server certificate.
(cherry picked from commit daddd9a950)
2014-02-23 13:49:21 +00:00
Kurt Roeckx
b3d8de7903 Fix additional pod errors with numbered items.
(cherry picked from commit e547c45f1c)
2014-02-14 22:35:15 +00:00
Scott Schaefer
0413ea5801 Fix various spelling errors
(cherry picked from commit 2b4ffc659e)
2014-02-14 22:35:15 +00:00
Scott Schaefer
2f6fba6772 Document pkcs12 -password behavior
apps/pkcs12.c accepts -password as an argument.  The document author
almost certainly meant to write "-password, -passin".

However, that is not correct, either.  Actually the code treats
-password as equivalent to -passin, EXCEPT when -export is also
specified, in which case -password as equivalent to -passout.
(cherry picked from commit 856c6dfb09)
2014-02-14 22:35:15 +00:00
Scott Deboy
038bec784e Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.

(cherry picked from commit 36086186a9)
Conflicts:
	Configure
	apps/s_client.c
	apps/s_server.c
	ssl/ssl.h
	ssl/ssl3.h
	ssl/ssltest.c
2014-02-08 16:12:15 -08:00
Dr. Stephen Henson
e2f06800bc New ctrl to set current certificate.
New ctrl sets current certificate based on certain criteria. Currently
two options: set the first valid certificate as current and set the
next valid certificate as current. Using these an application can
iterate over all certificates in an SSL_CTX or SSL structure.
(cherry picked from commit 0f78819c8c)
2014-02-02 23:12:06 +00:00
Dr. Stephen Henson
f2d678e6e8 Clarify docs.
Remove reference to ERR_TXT_MALLOCED in the error library as that is
only used internally. Indicate that returned error data must not be
freed.
2014-01-29 00:59:35 +00:00
Dr. Stephen Henson
aabfee601e Certificate callback doc.
(cherry picked from commit 46ab9bbd7f)
2014-01-28 13:38:55 +00:00
Jeff Trawick
ae6fbb5df0 typo
(cherry picked from commit 5edce5685f)
2014-01-10 23:02:46 +00:00
Jeff Trawick
f9c1f03754 typo
(cherry picked from commit 4b64e0cbdb)
2014-01-10 23:02:20 +00:00
Dr. Stephen Henson
b9fa413a08 Use algorithm specific chains for certificates.
Fix a limitation in SSL_CTX_use_certificate_chain_file(): use algorithm
specific chains instead of the shared chain.

Update docs.
(cherry picked from commit a4339ea3ba)

Conflicts:

	CHANGES
2014-01-03 22:45:20 +00:00
Dr. Stephen Henson
2a1b7bd380 New functions to retrieve certificate from SSL_CTX
New functions to retrieve current certificate or private key
from an SSL_CTX.

Constify SSL_get_private_key().
(cherry picked from commit a25f9adc77)
2013-11-18 18:59:18 +00:00
Dr. Stephen Henson
1abfa78a8b Constify. 2013-11-14 21:00:40 +00:00
Rob Stradling
dc4bdf592f Additional "chain_cert" functions.
PR#3169

This patch, which currently applies successfully against master and
1_0_2, adds the following functions:

SSL_[CTX_]select_current_cert() - set the current certificate without
disturbing the existing structure.

SSL_[CTX_]get0_chain_certs() - get the current certificate's chain.

SSL_[CTX_]clear_chain_certs() - clear the current certificate's chain.

The patch also adds these functions to, and fixes some existing errors
in, SSL_CTX_add1_chain_cert.pod.
(cherry picked from commit 2f56c9c015dbca45379c9a725915b3b8e765a119)
2013-11-13 23:47:37 +00:00
Dr. Stephen Henson
024dbfd44c Document RSAPublicKey_{in,out} options.
(cherry picked from commit 7040d73d22987532faa503630d6616cf2788c975)
2013-11-09 15:09:22 +00:00
Dr. Stephen Henson
233069f8db Add CMS_SignerInfo_get0_signature function.
Add function to retrieve the signature from a CMS_SignerInfo structure:
applications can then read or modify it.
(cherry picked from commit e8df6cec4c09b9a94c4c07abcf0402d31ec82cc1)
2013-11-09 15:09:22 +00:00
Dr. Stephen Henson
0b33466b3f Add SSL_CONF command to set DH Parameters.
(cherry picked from commit c557f921dc)
2013-11-02 13:42:03 +00:00
Dr. Stephen Henson
044f8ca87d Extend SSL_CONF
Extend SSL_CONF to return command value types.

Add certificate and key options.

Update documentation.
(cherry picked from commit ec2f7e568e)
2013-11-02 13:41:19 +00:00
Dr. Stephen Henson
a78b21fc67 Update cms docs.
(cherry picked from commit dfcb42c68e)
2013-10-01 14:01:19 +01:00
Dr. Stephen Henson
dddb38834e Update cms docs.
Document use of -keyopt to use RSA-PSS and RSA-OAEP modes.
(cherry picked from commit 4bf4a6501c)
2013-10-01 14:01:18 +01:00
Ben Laurie
4f8a706dc7 Merge remote-tracking branch 'trevp/pemfix' into trev-pem-fix 2013-09-20 15:39:08 -07:00
Rob Stradling
07df5018be Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
2013-09-16 14:03:21 +01:00
Dr. Stephen Henson
593605d3ec Document supported curve functions.
(cherry picked from commit c3eb33763b)
2013-09-03 15:43:59 +01:00
Dr. Stephen Henson
c9ea4df8f9 Document -force_pubkey option.
(cherry picked from commit b093a06866bf632a97a9a0286e2d08f69c3cf7dd)
2013-08-21 13:41:17 +01:00
Dr. Stephen Henson
89ff56faf1 Correct ECDSA example.
(cherry picked from commit 3a918ea2bbf4175d9461f81be1403d3781b2c0dc)
2013-08-20 17:30:16 +01:00
Dr. Stephen Henson
df430489cf Add documentation.
Preliminary documentation for chain and verify stores and certificate chain
setting functions.
(cherry picked from commit eeb15452a0)
2013-08-18 13:53:32 +01:00
Trevor
e27711cfdd Trying cherrypick:
Add support for arbitrary TLS extensions.

Contributed by Trevor Perrin.

Conflicts:

	CHANGES
	ssl/ssl.h
	ssl/ssltest.c
	test/testssl

Fix compilation due to #endif.

Cherrypicking more stuff.

Cleanup of custom extension stuff.

serverinfo rejects non-empty extensions.

Omit extension if no relevant serverinfo data.

Improve error-handling in serverinfo callback.

Cosmetic cleanups.

s_client documentation.

s_server documentation.

SSL_CTX_serverinfo documentation.

Cleaup -1 and NULL callback handling for custom extensions, add tests.

Cleanup ssl_rsa.c serverinfo code.

Whitespace cleanup.

Improve comments in ssl.h for serverinfo.

Whitespace.

Cosmetic cleanup.

Reject non-zero-len serverinfo extensions.

Whitespace.

Make it build.

Conflicts:

	test/testssl
2013-07-03 11:53:30 +01:00
Dr. Stephen Henson
e1dee801b9 Add function CMS_RecipientInfo_encrypt
Add CMS_RecipientInfo_encrypt: this function encrypts an existing content
encryption key to match the key in the RecipientInfo structure: this is
useful if a new recpient is added to and existing enveloped data structure.

Add documentation.
(cherry picked from commit e1f1d28f34)
2013-02-26 17:06:08 +00:00
Dr. Stephen Henson
1510b1f4c2 Update SSL_CONF docs.
Fix some typos and update version number first added: it has now been
backported to OpenSSL 1.0.2.
(cherry picked from commit 4365e4aad9)
2013-02-26 15:29:49 +00:00
Nick Alcock
ae5c1ca377 Fix POD errors to stop make install_docs dying with pod2man 2.5.0+
podlators 2.5.0 has switched to dying on POD syntax errors. This means
that a bunch of long-standing erroneous POD in the openssl documentation
now leads to fatal errors from pod2man, halting installation.

Unfortunately POD constraints mean that you have to sort numeric lists
in ascending order if they start with 1: you cannot do 1, 0, 2 even if
you want 1 to appear first. I've reshuffled such (alas, I wish there
were a better way but I don't know of one).
(cherry picked from commit 5cc2707742)
2013-02-15 19:39:59 +01:00
Ben Laurie
010ac38a98 Correct EVP_PKEY_verifyrecover to EVP_PKEY_verify_recover (RT 2955). 2013-01-12 12:51:58 +00:00
Dr. Stephen Henson
49ef33fa34 add SSL_CONF functions and documentation (backport from HEAD) 2012-12-29 13:30:56 +00:00
Ben Laurie
4e72220fd6 Documentation improvements by Chris Palmer (Google). 2012-12-14 13:29:17 +00:00
Ben Laurie
5dca1e338c Document -pubkey option. 2012-12-13 16:16:48 +00:00
Dr. Stephen Henson
1d5f3f4640 correct docs 2012-11-19 20:06:57 +00:00
Richard Levitte
8baf604a39 Correct environment variable is OPENSSL_ALLOW_PROXY_CERTS. 2012-05-04 10:43:24 +00:00
Dr. Stephen Henson
b344a826ad update rather ancient EVP digest documentation 2012-04-10 22:28:13 +00:00
Dr. Stephen Henson
cdb41713a4 Document RFC5114 "generation" options.
(backport from HEAD)
2012-04-07 20:42:17 +00:00
Andy Polyakov
1fb07a7de8 doc/apps: formatting fixes [from HEAD].
PR: 2683
Submitted by: Annie Yousar
2012-01-11 21:58:42 +00:00
Andy Polyakov
c6706a6f6c ecdsa.pod: typo.
PR: 2678
Submitted by: Annie Yousar
2012-01-11 21:41:50 +00:00
Dr. Stephen Henson
efbb7ee432 PR: 1794
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve

Document unknown_psk_identify alert, remove pre-RFC 5054 string from
ssl_stat.c
2011-11-13 13:13:14 +00:00
Bodo Möller
79571bb1ca Clarify warning 2011-10-13 13:25:03 +00:00
Bodo Möller
1dc4c8c727 Fix typo.
Submitted by: Jim Morrison
2011-07-11 12:13:56 +00:00
Bodo Möller
346601bc32 CVE-2010-4180 fix (from OpenSSL_1_0_0-stable) 2011-02-03 10:42:00 +00:00
Dr. Stephen Henson
61c10d42f6 fix doc typos 2010-12-02 13:45:25 +00:00
Dr. Stephen Henson
0172ad2902 Minor documentation fixes, PR#2345 2010-10-04 13:28:27 +00:00
Dr. Stephen Henson
d9aa352ff0 Minor documentation fixes, PR#2344 2010-10-04 13:24:07 +00:00
Dr. Stephen Henson
ca91057d50 PR: 2252
Submitted By: Ger Hobbelt <ger@hobbelt.com>

Update docs to BIO_f_buffer()
2010-05-03 15:29:51 +00:00
Andy Polyakov
336d1ee733 bss_file.c: reserve for option to encode file name in UTF-8 on Windows
[from HEAD].
2010-04-28 20:04:37 +00:00
Dr. Stephen Henson
acc9938ba5 Add SHA2 algorithms to SSL_library_init(). Although these aren't used
directly by SSL/TLS SHA2 certificates are becoming more common and
applications that only call SSL_library_init() and not
OpenSSL_add_all_alrgorithms() will fail when verifying certificates.

Update docs.
2010-04-07 13:18:30 +00:00
Dr. Stephen Henson
f6d13ac8cf Remove obsolete PRNG note. Add comment about use of SHA256 et al. 2010-04-06 15:05:47 +00:00
Dr. Stephen Henson
24cb653c6b PR: 2209
Submitted Daniel Mentz <danielml@sent.com>

Documentation typo.
2010-04-06 14:45:31 +00:00
Dr. Stephen Henson
6507653e72 The meaning of the X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY and
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT error codes were reversed in
the verify application documentation.
2010-02-23 14:09:22 +00:00
Dr. Stephen Henson
4f3d52fedc clarify documentation 2010-02-18 12:41:50 +00:00
Dr. Stephen Henson
989238802a Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as
initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway.
2010-02-17 18:38:10 +00:00
Dr. Stephen Henson
81d87a2a28 update references to new RI RFC 2010-02-12 21:59:57 +00:00
Dr. Stephen Henson
5a6ae115f8 reword RI description 2010-01-27 18:53:49 +00:00
Dr. Stephen Henson
5e5df40b9b update documentation to reflect new renegotiation options 2010-01-27 17:50:20 +00:00
Dr. Stephen Henson
a758f61793 PR: 2157
Submitted by: "Green, Paul" <Paul.Green@stratus.com>

Typo.
2010-01-27 12:55:52 +00:00
Dr. Stephen Henson
1699389a46 Tolerate PKCS#8 DSA format with negative private key. 2010-01-22 20:17:30 +00:00
Dr. Stephen Henson
39f0a4d8e9 typo 2010-01-21 18:46:28 +00:00
Dr. Stephen Henson
93fac08ec3 PR: 2136
Submitted by: Willy Weisz <weisz@vcpc.univie.ac.at>

Add options to output hash using older algorithm compatible with OpenSSL
versions before 1.0.0
2010-01-12 17:27:11 +00:00
Dr. Stephen Henson
4359b88bbe Typo 2010-01-05 17:50:01 +00:00
Dr. Stephen Henson
6e94156199 Remove tabs on blank lines: they produce warnings in pod2man 2010-01-05 17:17:20 +00:00
Dr. Stephen Henson
730f5752ff clarify docs 2009-12-09 18:17:09 +00:00
Dr. Stephen Henson
a88c73b43a Document option clearning functions.
Initial secure renegotiation documentation.
2009-12-09 18:00:52 +00:00
Dr. Stephen Henson
e274c8fb72 typo 2009-11-29 13:45:18 +00:00
Dr. Stephen Henson
67bcde9ba8 PR: 2078
Submitted by: Dale Anderson <dra@redevised.net>
Approved by: steve@openssl.org

Corrections to bn_internal documentation.
2009-10-28 13:51:56 +00:00
Dr. Stephen Henson
5b2b60ae98 Document additions for X509 chain verification from HEAD 2009-10-18 15:28:59 +00:00
Dr. Stephen Henson
164c263b5c PR: 2074
Submitted by: Bram Neijt <bneijt@gmail.com>
Approved by: steve@openssl.org

Typo: "contet".
2009-10-16 15:29:34 +00:00
Dr. Stephen Henson
50425bc137 Change version from 0.9.9 to 1.0.0 in docs 2009-09-30 23:40:52 +00:00
Dr. Stephen Henson
3333428b44 PR: 2023
Submitted by: James Beckett <jmb.openssl@nospam.hackery.net>, steve
Approved by: steve@openssl.org

Fix documentation errors in d2i_X509 manual pages.
2009-09-12 23:34:56 +00:00
Dr. Stephen Henson
a131de9bb2 PR: 2025
Submitted by: Tomas Mraz <tmraz@redhat.com>
Approved by: steve@openssl.org

Constify SSL_CIPHER_description
2009-09-12 23:18:09 +00:00