| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
to not only check the OpenSSL compatibility version.
|
|
|
|
|
| |
to OpenSSL 1.1.1q and 3.0.7 (warning only)
and WolfSSL 5.4.0 (force break build)
|
|
|
|
|
| |
This is to emit warnings if the SSL library is older than the latest versions available
at packaging time, except for LibreSSL which is unsupported anyways.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
See https://github.com/wolfSSL/wolfssl/issues/4593
The earlier assumption that SSL_CTX_set_mode() worked was
untrue (wolfSSL 5.0.0 does not implement it), and masked
by the selection of servers used for testing.
Also, wolfSSL 5.0.0 does not implement SSL_CTX_set_mode(),
which went unnoticed because the interface does not support
returning errors (it returns the updated mode bitfield value).
|
| |
|
|
|
|
|
|
|
|
| |
On OpenBSD, libressl is "normally distributed (in either source or
binary form) with the major components (compiler, kernel, and so on) of
the operating system on which the executable runs" according to Stuart
Henderson, so according to the GNU GPL v2 clause 3, we can permit
LibreSSL for OpenBSD.
|
| |
|
|
|
|
|
|
|
|
| |
This is the proper fix for wolfSSL 5.0 and OpenSSL before 1.1.1
to avoid the "SSL_peek()" not truly blocking issue.
Only OpenSSL 1.1.1 enables this mode by default, so make this
explicit.
|
|
|
|
| |
This reverts commit 0d32056e7b14bd029aa375f59230a3ad3e2bae51.
|
|
|
|
|
| |
...because wolfSSL 5.0.0 does not support a default trust store, unlike
OpenSSL.
|
|
|
|
|
|
|
|
| |
SSL_peek() may return 0 on blocking I/O with SSL_get_error() returning
SSL_ERROR_WANT_READ. This should not occur on blocking I/O, and does
not occur with OpenSSL 1.0.2, 1.1.1, 3.0.
This caused a socket error right after SSL negotiation.
|
| |
|
|
|
|
|
|
|
|
| |
The original comparison contained a typo,
0x1000200fL == (ver & 0xfffff000L) and could never match.
Fix, and also match at compile time to not even reference
this flag on other OpenSSL versions.
|
|
|
|
|
| |
...in order to safely remove the obsolete OpenSSL flag
SSL_OP_SINGLE_DH_USE.
|
|
|
|
| |
See COPYING or NEWS.
|
|
|
|
| |
...of cross-signed certificate.
|
| |
|
| |
|
|
|
|
|
| |
the latter is deprecated in OpenSSL 3, and the user might use some
other key than RSA.
|
|
|
|
| |
to avoid compatibility issues with new OpenSSL versions later on.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL 1.0.2 is EOL since end of 2019, so warn if it is to be used
at configure and compile time.
The assumption is that 1.0.2 may still be in use by maintainers that
backport security fixes.
Also warn, at configure time, about "OpenSSL" API-compatible libraries
that do not declare TLS1_3_VERSION.
|
|
|
|
|
|
|
| |
and fix a typo in README.SSL. The reference will be printed if there is
no trust anchor.
Fixes #4 (Gitlab issue).
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 418cda65 from merge request !5 fixed an input buffer overrun but at the
same time caused the terminating NUL byte in the output buffer to be written
too late, 2 bytes per placeholder.
Fix the size calculation for correctness, and use the output index
and not the output length to terminate the output string.
Fixes #16, reported by Stefan Thurner. [All references for Gitlab.]
|
| |
|
| |
|
|
|
|
|
|
| |
* Normalize include order.
* Backport missed bug fixes.
* Remove dead code.
|
|
|
|
| |
Fixes Debian Bug#928916, reported by Paul Kimoto.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
...when deprecated functions are disabled, for instance,
through -DOPENSSL_API_COMPAT=0x10100000L.
|
| |
|
|
|
|
|
|
|
|
| |
parse_plugin() expands the % in plugin string to plugin_copy. It
checks that is does not write behind the end of the destination
memory, but the source length was not checked. This resulted in
reading from a possibly invalid memory location which may cause a
segmentation fault. Add a check for the string length of the source.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Ubuntu 16.04 LTS, in a misguided attempt to avoid SSLv3 without breaking
the API, does not declare SSLv3 unsupported through the headers, so
applications can only detect this situation at run-time.
The symptom is that SSL_CTX_new errors out with
SSL_R_NULL_SSL_METHOD_PASSED on the error stack, issue an additional
note telling the user to select a newer version.
|
|
|
|
|
|
|
| |
This avoids functions marked deprecated in OpenSSL 1.1.0.
At the same time, warn about unsupported use of LibreSSL, and treat
LibreSSL the same as OpenSSL 1.0.X WRT protocol version logic.
|
| |
|
| |
|
| |
|
|
|
|
| |
LibreSSL does not provide a TLS_MAX_VERSION, so do not refer to it.
|
| |
|