Dr. Stephen Henson
a4c4a7d5ca
stop warning when compiling with no-comp
2012-12-29 23:37:56 +00:00
Dr. Stephen Henson
024e6fed62
typo
2012-12-26 15:23:42 +00:00
Dr. Stephen Henson
230ec17d74
Use client version when deciding which cipher suites to disable.
2012-12-18 13:25:47 +00:00
Andy Polyakov
f469880c61
d1_lib.c,bss_dgram.c: eliminate dependency on _ftime.
2012-12-16 19:02:59 +00:00
Dr. Stephen Henson
b34aa49c25
revert SUITEB128ONLY patch, anything wanting to use P-384 can use SUITEB128 instead
2012-12-10 02:02:16 +00:00
Dr. Stephen Henson
d372d36592
allow ECDSA+SHA384 signature algorithm in SUITEB128ONLY mode
2012-12-09 16:03:34 +00:00
Dr. Stephen Henson
36b5bb6f2f
send out the raw SSL/TLS headers to the msg_callback and display them in SSL_trace
2012-12-07 23:42:33 +00:00
Dr. Stephen Henson
083bec780d
typo
2012-12-07 13:23:49 +00:00
Dr. Stephen Henson
1edf8f1b4e
really fix automatic ;-)
2012-12-07 12:41:13 +00:00
Dr. Stephen Henson
f1f5c70a04
fix handling of "automatic" in file mode
2012-12-06 21:53:05 +00:00
Dr. Stephen Henson
4842dde80c
return error if Suite B mode is selected and TLS 1.2 can't be used. Correct error coded
2012-12-01 18:33:21 +00:00
Dr. Stephen Henson
84bafb7471
Print out point format list for clients too.
2012-11-26 18:39:38 +00:00
Dr. Stephen Henson
5087afa108
Use default point formats extension for server side as well as client
...
side, if possible.
Don't advertise compressed char2 for SuiteB as it is not supported.
2012-11-26 18:38:10 +00:00
Dr. Stephen Henson
93c2c9befc
change inaccurate error message
2012-11-26 15:47:32 +00:00
Dr. Stephen Henson
d900c0ae14
set auto ecdh parameter selction for Suite B
2012-11-26 15:10:50 +00:00
Dr. Stephen Henson
1c16fd1f03
add Suite B 128 bit mode offering only combination 2
2012-11-24 00:59:51 +00:00
Dr. Stephen Henson
20b431e3a9
Add support for printing out and retrieving EC point formats extension.
2012-11-22 15:20:53 +00:00
Dr. Stephen Henson
e83aefb3a0
reject zero length point format list or supported curves extensions
2012-11-22 14:15:44 +00:00
Dr. Stephen Henson
2588d4ca41
curves can be set in both client and server
2012-11-21 17:01:46 +00:00
Dr. Stephen Henson
878b5d07ef
use correct return values when callin cmd
2012-11-21 16:59:33 +00:00
Dr. Stephen Henson
98a7edf9f0
make depend
2012-11-19 13:18:09 +00:00
Dr. Stephen Henson
ddd13d677b
fix typo and warning
2012-11-19 02:46:46 +00:00
Dr. Stephen Henson
3db935a9e5
add SSL_CONF functions and documentation
2012-11-16 19:12:24 +00:00
Dr. Stephen Henson
51b9115b6d
new command line option -stdname to ciphers utility
2012-11-16 00:35:46 +00:00
Dr. Stephen Henson
8ab92fc646
add "missing" TLSv1.2 cipher alias
2012-11-15 19:14:47 +00:00
Dr. Stephen Henson
8bb870df9e
new feature: if ctx==NULL in SSL_CTX_ctrl perform syntax checking only for some operations (currently curves and signature algorithms)
2012-11-08 14:24:51 +00:00
Dr. Stephen Henson
323fa64559
If OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL is set allow the use of "SCSV" as
...
a ciphersuite to position the SCSV value in different places for testing
purposes.
2012-09-30 12:39:27 +00:00
Richard Levitte
4d88fc8173
* ssl/t1_enc.c (tls1_change_cipher_state): Stupid bug. Fortunately in
...
debugging code that's seldom used.
2012-09-21 13:08:24 +00:00
Dr. Stephen Henson
94a209d8e1
Add ctrl and utility functions to retrieve raw cipher list sent by client in
...
client hello message. Previously this could only be retrieved on an initial
connection and it was impossible to determine the cipher IDs of any uknown
ciphersuites.
2012-09-12 13:57:48 +00:00
Dr. Stephen Henson
e5db9c3b67
Minor enhancement to PR#2836 fix. Instead of modifying SSL_get_certificate
...
change the current certificate (in s->cert->key) to the one used and then
SSL_get_certificate and SSL_get_privatekey will automatically work.
2012-09-11 13:34:08 +00:00
Ben Laurie
2daceb0342
Call OCSP Stapling callback after ciphersuite has been chosen, so the
...
right response is stapled. Also change SSL_get_certificate() so it
returns the certificate actually sent. See
http://rt.openssl.org/Ticket/Display.html?id=2836 .
2012-09-11 12:57:46 +00:00
Dr. Stephen Henson
33a8de69dc
new ctrl to retrive value of received temporary key in server key exchange message, print out details in s_client
2012-09-08 13:59:51 +00:00
Dr. Stephen Henson
319354eb6c
store and print out message digest peer signed with in TLS 1.2
2012-09-07 12:53:42 +00:00
Dr. Stephen Henson
d47c01a31a
perform sanity checks on server certificate type as soon as it is received instead of waiting until server key exchange
2012-08-31 11:18:54 +00:00
Dr. Stephen Henson
becfdb995b
give more meaningful error if presented with wrong certificate type by server
2012-08-30 12:46:22 +00:00
Dr. Stephen Henson
ed83ba5321
Add compilation flag to disable certain protocol checks and allow use of
...
some invalid operations for testing purposes. Currently this can be used
to sign using digests the peer doesn't support, EC curves the peer
doesn't support and use certificates which don't match the type associated
with a ciphersuite.
2012-08-29 13:18:34 +00:00
Dr. Stephen Henson
81f57e5a69
oops, typo
2012-08-28 23:19:25 +00:00
Dr. Stephen Henson
1cf218bcaa
New compile time option OPENSSL_SSL_TRACE_CRYPTO, when set this passes
...
all derived keys to the message callback.
Add code to SSL_trace to include support for printing out keys.
2012-08-28 23:17:28 +00:00
Dr. Stephen Henson
2ea8035460
Add three Suite B modes to TLS code, supporting RFC6460.
2012-08-15 15:15:05 +00:00
Dr. Stephen Henson
3b0648ebc9
Rename Suite B functions for consistency.
...
New function X509_chain_up_ref to dup and up the reference count of
a STACK_OF(X509): replace equivalent functionality in several places
by the equivalent call.
2012-08-03 15:58:15 +00:00
Dr. Stephen Henson
6dbb6219e7
Make tls1_check_chain return a set of flags indicating checks passed
...
by a certificate chain. Add additional tests to handle client
certificates: checks for matching certificate type and issuer name
comparison.
Print out results of checks for each candidate chain tested in
s_server/s_client.
2012-07-27 13:39:23 +00:00
Dr. Stephen Henson
ec4a50b3c3
Abort handshake if signature algorithm used not supported by peer.
2012-07-24 18:11:27 +00:00
Dr. Stephen Henson
d18b716d25
check EC tmp key matches preferences
2012-07-24 13:47:40 +00:00
Dr. Stephen Henson
1e4cb467e1
typo
2012-07-24 13:32:40 +00:00
Dr. Stephen Henson
74ecfab401
Add support for certificate stores in CERT structure. This makes it
...
possible to have different stores per SSL structure or one store in
the parent SSL_CTX. Include distint stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
to build and store a certificate chain in CERT structure: returing
an error if the chain cannot be built: this will allow applications
to test if a chain is correctly configured.
Note: if the CERT based stores are not set then the parent SSL_CTX
store is used to retain compatibility with existing behaviour.
2012-07-23 23:34:28 +00:00
Dr. Stephen Henson
050ce4ca42
set ciphers to NULL before calling cert_cb
2012-07-20 15:21:23 +00:00
Dr. Stephen Henson
8e2a06bf5c
stop warning
2012-07-19 16:57:19 +00:00
Dr. Stephen Henson
a1644902eb
add ssl_locl.h to err header files, rebuild ssl error strings
2012-07-19 14:45:36 +00:00
Dr. Stephen Henson
b7bfe69b66
New function ssl_set_client_disabled to set masks for any ciphersuites
...
that are disabled for this session (as opposed to always disabled by
configuration).
2012-07-18 14:09:46 +00:00
Dr. Stephen Henson
63fe4ee14c
update trace messages
2012-07-18 13:53:56 +00:00