Dr. Stephen Henson
442ac8d259
Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as
...
initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway.
2010-02-17 18:37:47 +00:00
Dr. Stephen Henson
3798a4d059
Simplify RI+SCSV logic:
...
1. Send SCSV is not renegotiating, never empty RI.
2. Send RI if renegotiating.
2010-01-07 19:09:32 +00:00
Dr. Stephen Henson
98809a1458
Alert to use is now defined in spec: update code
2009-12-17 15:42:25 +00:00
Dr. Stephen Henson
ccc3df8c33
New option to enable/disable connection to unpatched servers
2009-12-16 20:34:20 +00:00
Dr. Stephen Henson
593a6dbe19
add another missed case
2009-12-14 01:32:47 +00:00
Dr. Stephen Henson
efbe446f1a
simplify RI error code and catch extra error case ignored before
2009-12-14 01:28:51 +00:00
Dr. Stephen Henson
725745d105
Allow initial connection (but no renegoriation) to servers which don't support
...
RI.
2009-12-14 01:09:01 +00:00
Dr. Stephen Henson
7a014dceb6
Add support for magic cipher suite value (MCSV). Make secure renegotiation
...
work in SSLv3: initial handshake has no extensions but includes MCSV, if
server indicates RI support then renegotiation handshakes include RI.
NB: current MCSV value is bogus for testing only, will be updated when we
have an official value.
Change mismatch alerts to handshake_failure as required by spec.
Also have some debugging fprintfs so we can clearly see what is going on
if OPENSSL_RI_DEBUG is set.
2009-12-08 13:15:38 +00:00
Dr. Stephen Henson
b14713c231
Include a more meaningful error message when rejecting legacy renegotiation
2009-11-18 14:24:00 +00:00
Dr. Stephen Henson
af13c50d51
Fix wrong function codes and duplicate codes
2009-11-09 18:21:57 +00:00
Ben Laurie
c2b78c31d6
First cut of renegotiation extension.
2009-11-08 14:51:54 +00:00
Dr. Stephen Henson
a1dc0336dd
Re-revert (re-insert?) temporary change that made renegotiation work again
...
and add a proper fix: specifically if it is a new session don't send the old
TLS ticket, send a zero length ticket to request a new session.
2009-11-08 14:30:22 +00:00
Dr. Stephen Henson
2a8834cf89
Fix stateless session resumption so it can coexist with SNI
2009-10-30 13:28:07 +00:00
Dr. Stephen Henson
197ab47bdd
PR: 2028
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org
Fix DTLS cookie management bugs.
2009-09-04 17:53:30 +00:00
Dr. Stephen Henson
5d577d7eb0
Update from 1.0.0-stable.
2009-04-28 22:02:16 +00:00
Dr. Stephen Henson
8f59c61d1d
If tickets disabled behave as if no ticket received to support
...
stateful resume.
2008-09-03 22:13:04 +00:00
Mark J. Cox
d3b3a6d389
Fix double-free in TLS server name extensions which could lead to a remote
...
crash found by Codenomicon TLS test suite (CVE-2008-0891)
Reviewed by: openssl-security@openssl.org
Obtained from: jorton@redhat.com
2008-05-28 07:26:33 +00:00
Dr. Stephen Henson
db533c96e3
TLS ticket key setting callback: this allows and application to set
...
its own TLS ticket keys.
2008-04-30 16:11:33 +00:00
Dr. Stephen Henson
5f95651316
Ensure the ticket expected flag is reset when a stateless resumption is
...
successful.
2007-10-18 11:39:11 +00:00
Dr. Stephen Henson
a523276786
Backport certificate status request TLS extension support to 0.9.8.
2007-10-12 00:00:36 +00:00
Bodo Möller
4ab0088bfe
More changes from HEAD:
...
- no need to disable SSL 2.0 for SSL_CTRL_SET_TLSEXT_HOSTNAME
now that ssl23_client_hello takes care of that
- fix buffer overrun checks in ssl_add_serverhello_tlsext()
2007-09-21 14:05:08 +00:00
Dr. Stephen Henson
3bd1690bfb
Fixes from HEAD.
2007-09-21 13:40:51 +00:00
Dr. Stephen Henson
afdbadc704
Update from HEAD.
2007-08-20 12:44:22 +00:00
Dr. Stephen Henson
865a90eb4f
Backport of TLS extension code to OpenSSL 0.9.8.
...
Include server name and RFC4507bis support.
This is not compiled in by default and must be explicitly enabled with
the Configure option enable-tlsext
2007-08-12 18:59:03 +00:00
Dr. Stephen Henson
4479ce9c1c
Update from HEAD.
2007-01-21 16:07:25 +00:00
Dr. Stephen Henson
222f224664
Initialize SSL_METHOD structures at compile time. This removes the need
...
for locking code. The CRYPTO_LOCK_SSL_METHOD lock is now no longer used.
2005-08-05 23:52:08 +00:00
Ben Laurie
36d16f8ee0
Add DTLS support.
2005-04-26 16:02:40 +00:00
Ben Laurie
41a15c4f0f
Give everything prototypes (well, everything that's actually used).
2005-03-31 09:26:39 +00:00
Richard Levitte
d3442bc780
Move the registration of callback functions to special functions
...
designed for that. This removes the potential error to mix data and
function pointers.
Please note that I'm a little unsure how incorrect calls to the old
ctrl functions should be handled, in som cases. I currently return 0
and that's it, but it may be more correct to generate a genuine error
in those cases.
2000-02-20 23:43:02 +00:00
Ulf Möller
9d1a01be8f
Source code cleanups: Use void * rather than char * in lhash,
...
eliminate some of the -Wcast-qual warnings (debug-ben-strict target)
2000-01-30 22:20:28 +00:00
Ulf Möller
de808df47b
Cosmetic changes.
1999-09-29 22:14:47 +00:00
Bodo Möller
ec577822f9
Change #include filenames from <foo.h> to <openssl.h>.
...
Submitted by:
Reviewed by:
PR:
1999-04-23 22:13:45 +00:00
Ulf Möller
6b691a5c85
Change functions to ANSI C.
1999-04-19 21:31:43 +00:00
Ben Laurie
b4cadc6e13
Fix security hole.
1999-03-22 12:22:14 +00:00
Ralf S. Engelschall
9cb0969f65
Fix version stuff:
...
1. The already released version was 0.9.1c and not 0.9.1b
2. The next release should be 0.9.2 and not 0.9.1d, because
first the changes are already too large, second we should avoid any more
0.9.1x confusions and third, the Apache version semantics of
VERSION.REVISION.PATCHLEVEL for the version string is reasonable (and here
.2 is already just a patchlevel and not major change).
tVS: ----------------------------------------------------------------------
1998-12-31 09:36:40 +00:00
Ralf S. Engelschall
320a14cb5b
*** empty log message ***
1998-12-23 12:09:47 +00:00
Ralf S. Engelschall
5f32680329
Switch version string to SSLeay/OpenSSL
1998-12-23 07:53:55 +00:00
Ralf S. Engelschall
651d0aff98
Various cleanups and fixed by Marc and Ralf to start the OpenTLS project
1998-12-22 15:04:48 +00:00
Ralf S. Engelschall
dfeab0689f
Import of old SSLeay release: SSLeay 0.9.1b (unreleased)
1998-12-21 11:00:56 +00:00
Ralf S. Engelschall
58964a4922
Import of old SSLeay release: SSLeay 0.9.0b
1998-12-21 10:56:39 +00:00