Skip to content
  1. Jun 29, 2012
    • Dr. Stephen Henson's avatar
      Add certificate callback. If set this is called whenever a certificate · 18d71588
      Dr. Stephen Henson authored
      is required by client or server. An application can decide which
      certificate chain to present based on arbitrary criteria: for example
      supported signature algorithms. Add very simple example to s_server.
      This fixes many of the problems and restrictions of the existing client
      certificate callback: for example you can now clear existing certificates
      and specify the whole chain.
      18d71588
  2. Jun 28, 2012
    • Dr. Stephen Henson's avatar
      Add new "valid_flags" field to CERT_PKEY structure which determines what · d61ff83b
      Dr. Stephen Henson authored
      the certificate can be used for (if anything). Set valid_flags field
      in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
      to have similar checks in it.
      
      Add new "cert_flags" field to CERT structure and include a "strict mode".
      This enforces some TLS certificate requirements (such as only permitting
      certificate signature algorithms contained in the supported algorithms
      extension) which some implementations ignore: this option should be used
      with caution as it could cause interoperability issues.
      d61ff83b
  3. Jun 25, 2012
  4. Jun 22, 2012
  5. Jun 18, 2012
  6. Jun 15, 2012
  7. Jun 13, 2012
  8. Jun 12, 2012
  9. May 30, 2012
  10. May 11, 2012
    • Dr. Stephen Henson's avatar
      PR: 2813 · 4242a090
      Dr. Stephen Henson authored
      Reported by: Constantine Sapuntzakis <csapuntz@gmail.com>
      
      Fix possible deadlock when decoding public keys.
      4242a090
    • Dr. Stephen Henson's avatar
      PR: 2811 · c3b13033
      Dr. Stephen Henson authored
      Reported by: Phil Pennock <openssl-dev@spodhuis.org>
      
      Make renegotiation work for TLS 1.2, 1.1 by not using a lower record
      version client hello workaround if renegotiating.
      c3b13033
  11. May 10, 2012
  12. Apr 26, 2012
  13. Apr 25, 2012
  14. Apr 19, 2012
  15. Apr 17, 2012
  16. Apr 05, 2012
  17. Mar 31, 2012
  18. Mar 28, 2012
    • Dr. Stephen Henson's avatar
      Initial revision of ECC extension handling. · d0595f17
      Dr. Stephen Henson authored
      Tidy some code up.
      
      Don't allocate a structure to handle ECC extensions when it is used for
      default values.
      
      Make supported curves configurable.
      
      Add ctrls to retrieve shared curves: not fully integrated with rest of
      ECC code yet.
      d0595f17
  19. Mar 06, 2012
  20. Feb 21, 2012
  21. Feb 16, 2012
  22. Feb 15, 2012
    • Dr. Stephen Henson's avatar
      Additional compatibility fix for MDC2 signature format. · 58631637
      Dr. Stephen Henson authored
      Update RSA EVP_PKEY_METHOD to use the OCTET STRING form of MDC2 signature:
      this will make all versions of MDC2 signature equivalent.
      58631637
    • Dr. Stephen Henson's avatar
      An incompatibility has always existed between the format used for RSA · 83cb7c46
      Dr. Stephen Henson authored
      signatures and MDC2 using EVP or RSA_sign. This has become more apparent
      when the dgst utility in OpenSSL 1.0.0 and later switched to using the
      EVP_DigestSign functions which call RSA_sign.
      
      This means that the signature format OpenSSL 1.0.0 and later used with
      dgst -sign and MDC2 is incompatible with previous versions.
      
      Add detection in RSA_verify so either format works.
      
      Note: MDC2 is disabled by default in OpenSSL and very rarely used in practice.
      83cb7c46
  23. Feb 09, 2012
  24. Jan 31, 2012
  25. Jan 25, 2012
  26. Jan 18, 2012
  27. Jan 17, 2012
  28. Jan 16, 2012
    • Dr. Stephen Henson's avatar
      Support for fixed DH ciphersuites. · 8e1dc4d7
      Dr. Stephen Henson authored
      The cipher definitions of these ciphersuites have been around since SSLeay
      but were always disabled. Now OpenSSL supports DH certificates they can be
      finally enabled.
      
      Various additional changes were needed to make them work properly: many
      unused fixed DH sections of code were untested.
      8e1dc4d7
  29. Jan 05, 2012
  30. Jan 04, 2012