- 07 Sep, 2017 1 commit
-
-
Benjamin Kaduk authored
In OpenSSL 1.1.0, when there were no extensions added to the ServerHello, we did not write the extension data length bytes to the end of the ServerHello; this is needed for compatibility with old client implementations that do not support TLS extensions (such as the default configuration of OpenSSL 0.9.8). When ServerHello extension construction was converted to the new extensions framework in commit 7da160b0 , this behavior was inadvertently limited to cases when SSLv3 was negotiated (and similarly for ClientHellos), presumably since extensions are not defined at all for SSLv3. However, extensions for TLS prior to TLS 1.3 have been defined in separate RFCs (6066, 4366, and 3546) from the TLS protocol specifications, and as such should be considered an optional protocol feature in those cases. Accordingly, be conservative in what we send, and skip the extensions block when there are no extensions to be sent, regardless of the TLS/SSL version. (TLS 1.3 requires extensions and can safely be treated differently.) Reviewed-by:
Matt Caswell <matt@openssl.org> Reviewed-by:
Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/4296)
-
- 06 Sep, 2017 2 commits
-
-
Rich Salz authored
Reviewed-by:
-
Alfred E. Heggestad authored
Reviewed-by:
Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4011)
-
- 05 Sep, 2017 1 commit
-
-
Richard Levitte authored
This quiets down complaints about the use of uninitialised memory [extended tests] Reviewed-by:
Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4340)
-
- 04 Sep, 2017 3 commits
-
-
Matt Caswell authored
clienthellotest tries to fill out the size of the ClientHello by adding extra ciphersuites in order to test the padding extension. This is unreliable because they are very dependent on configuration options. If we add too much data the test will fail! We were already also adding some dummy ALPN protocols to pad out the size, and it turns out that this is sufficient just in itself, so drop the extra ciphersuites. Reviewed-by:
-
Matt Caswell authored
The padding extension should always be at least 1 byte long Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
- 03 Sep, 2017 2 commits
-
-
Pauli authored
[extended tests] Reviewed-by:
-
Richard Levitte authored
Some URIs get "mistreated" (converted) by the MSYS run-time. Unfortunately, avoiding this conversion doesn't help either. http://www.mingw.org/wiki/Posix_path_conversion Fixes #4314 Reviewed-by:Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4322)
-
- 02 Sep, 2017 4 commits
-
-
Rich Salz authored
Reviewed-by:
-
Andy Polyakov authored
Addresses GH#2167. Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4311)
-
Andy Polyakov authored
Ironically enough not all installations get Module::Load::Conditional installed by default... [It's a bit half-hearted, because such installations are likely to lack more stuffi that is needed, but nevertheless, it proved to be helpful.] Reviewed-by:
-
Rich Salz authored
Deprecated functions are still documented. Put HISTORY after SEE ALSO; add HISTORY to BN_zero Reviewed-by:
-
- 01 Sep, 2017 8 commits
-
-
Richard Levitte authored
Reviewed-by:
-
Benjamin Kaduk authored
If the server_name extension is long enough to require two bytes to hold the length of either field, the test suite would not decode the length properly. Using the PACKET_ APIs would have avoided this, but it was desired to avoid using private APIs in this part of the test suite, to keep ourselves honest. Reviewed-by:
-
Benjamin Kaduk authored
The include search path was not picking up files in the root of the tree. [extended tests] Reviewed-by:
-
Benjamin Kaduk authored
This function is really emulating what would happen in client mode, and does not necessarily reflect what is usable for a server SSL. Make this a bit more explicit, and do some wordsmithing while here. Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Andy Polyakov authored
OPENSSL_ia32cap.pod discusses possibility to disable operations on XMM register bank. This formally means that this flag has to be checked in combination with other flags. But it customarily isn't. But instead of chasing all the cases we can flip more bits together with FXSR one. Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
This is actually not all warnings, only return values. Reviewed-by:
-
- 31 Aug, 2017 19 commits
-
-
Pauli authored
Move struct timeval includes into e_os.h (where the Windows ones were). Enaure that the include is guarded canonically. Refer #4271 Reviewed-by:
-
Rich Salz authored
Reviewed-by:
-
Rich Salz authored
Reviewed-by:
-
Pauli authored
Reviewed-by:
Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4313)
-
Rich Salz authored
Reviewed-by:
-
Richard Levitte authored
The program will fail to run if it doesn't exist anyway, no need to check its existence here. Fixes #4306 Reviewed-by:
-
Richard Levitte authored
When parsing the header files, mkdef.pl didn't clear the line terminator properly. In most cases, this didn't matter, but there were moments when this caused parsing errors (such as CRLFs in certain cases). Fixes #4267 Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/3926)
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
SNI and ALPN must be set to be consistent with the PSK. Otherwise this is an error. Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
If there is no SNI in the session then s_client no longer sends the SNI extension. Update the tests to take account of that Reviewed-by:
-
Matt Caswell authored
If we have not decided on an SNI value yet, but we are attempting to reuse a session, and SNI is set in that, then we should use that value by default. Reviewed-by:
-
