Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | wolfSSL: work around SSL_peek() error on handshake | Matthias Andree | 2021-12-26 | 1 | -1/+9 |
| | | | | | | | | | | | | See https://github.com/wolfSSL/wolfssl/issues/4593 The earlier assumption that SSL_CTX_set_mode() worked was untrue (wolfSSL 5.0.0 does not implement it), and masked by the selection of servers used for testing. Also, wolfSSL 5.0.0 does not implement SSL_CTX_set_mode(), which went unnoticed because the interface does not support returning errors (it returns the updated mode bitfield value). | ||||
* | Realign comments and variable names. | Matthias Andree | 2021-12-05 | 1 | -4/+4 |
| | |||||
* | Permit LibreSSL on OpenBSD. | Matthias Andree | 2021-12-05 | 1 | -2/+6 |
| | | | | | | | | On OpenBSD, libressl is "normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs" according to Stuart Henderson, so according to the GNU GPL v2 clause 3, we can permit LibreSSL for OpenBSD. | ||||
* | socket.c: SSL_peek/SSL_read consistency fixes. | Matthias Andree | 2021-11-28 | 1 | -19/+16 |
| | |||||
* | socket.c: SSL_CTX_set_mode(SSL_MODE_AUTO_RETRY) | Matthias Andree | 2021-11-28 | 1 | -1/+3 |
| | | | | | | | | This is the proper fix for wolfSSL 5.0 and OpenSSL before 1.1.1 to avoid the "SSL_peek()" not truly blocking issue. Only OpenSSL 1.1.1 enables this mode by default, so make this explicit. | ||||
* | Revert "wolfSSL: workaround 5.0.0 SSL_peek() not truly blocking." | Matthias Andree | 2021-11-28 | 1 | -2/+1 |
| | | | | This reverts commit 0d32056e7b14bd029aa375f59230a3ad3e2bae51. | ||||
* | wolfSSL: support WOLFSSL_TRUST_FILE as default trust store | Matthias Andree | 2021-11-21 | 1 | -4/+30 |
| | | | | | ...because wolfSSL 5.0.0 does not support a default trust store, unlike OpenSSL. | ||||
* | wolfSSL: workaround 5.0.0 SSL_peek() not truly blocking. | Matthias Andree | 2021-11-21 | 1 | -1/+2 |
| | | | | | | | | SSL_peek() may return 0 on blocking I/O with SSL_get_error() returning SSL_ERROR_WANT_READ. This should not occur on blocking I/O, and does not occur with OpenSSL 1.0.2, 1.1.1, 3.0. This caused a socket error right after SSL negotiation. | ||||
* | wolfSSL: support 5.0.0+. | Matthias Andree | 2021-11-21 | 1 | -13/+43 |
| | |||||
* | Fix X509_V_FLAG_TRUSTED_FIRST OpenSSL 1.0.2 workaround | Matthias Andree | 2021-11-20 | 1 | -5/+6 |
| | | | | | | | | The original comparison contained a typo, 0x1000200fL == (ver & 0xfffff000L) and could never match. Fix, and also match at compile time to not even reference this flag on other OpenSSL versions. | ||||
* | OpenSSL: bump minimum required version to 1.0.2f | Matthias Andree | 2021-11-20 | 1 | -3/+3 |
| | | | | | ...in order to safely remove the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. | ||||
* | LibreSSL: block, due to licensing issue. | Matthias Andree | 2021-11-20 | 1 | -2/+2 |
| | | | | See COPYING or NEWS. | ||||
* | TLS: OpenSSL 1.0.2 workaround Let's Encrypt Expiry | Matthias Andree | 2021-11-01 | 1 | -1/+15 |
| | | | | ...of cross-signed certificate. | ||||
* | socket.c: invalid sslproto no longer abort()s | Matthias Andree | 2021-08-28 | 1 | -2/+0 |
| | |||||
* | socket.c: plugin/plugout SIGSEGV and memleak fixes | Matthias Andree | 2021-08-26 | 1 | -12/+26 |
| | |||||
* | socket.c: SSL_use_PrivateKey_file <- SSL_use_RSAPrivateKey_file, | Matthias Andree | 2021-03-13 | 1 | -1/+1 |
| | | | | | the latter is deprecated in OpenSSL 3, and the user might use some other key than RSA. | ||||
* | OpenSSL: permit deprecated features, | Matthias Andree | 2021-03-13 | 1 | -1/+5 |
| | | | | to avoid compatibility issues with new OpenSSL versions later on. | ||||
* | socket.c clean up code duplication. | Matthias Andree | 2021-02-27 | 1 | -2/+2 |
| | |||||
* | --version: print OpenSSL versions build/run-time and directories | Matthias Andree | 2021-01-30 | 1 | -8/+5 |
| | |||||
* | socket.c: Update copyright according to code changes. | Matthias Andree | 2021-01-03 | 1 | -1/+1 |
| | |||||
* | "Require" OpenSSL 1.1.1 and tolerate/warn 1.0.2. | Matthias Andree | 2020-03-30 | 1 | -0/+4 |
| | | | | | | | | | | | OpenSSL 1.0.2 is EOL since end of 2019, so warn if it is to be used at configure and compile time. The assumption is that 1.0.2 may still be in use by maintainers that backport security fixes. Also warn, at configure time, about "OpenSSL" API-compatible libraries that do not declare TLS1_3_VERSION. | ||||
* | socket.c: add reference to README.SSL in error message | Matthias Andree | 2020-03-30 | 1 | -1/+2 |
| | | | | | | | and fix a typo in README.SSL. The reference will be printed if there is no trust anchor. Fixes #4 (Gitlab issue). | ||||
* | Fix garbage at end of plugin string with %h and/or %p | Matthias Andree | 2020-03-29 | 1 | -2/+3 |
| | | | | | | | | | | | Commit 418cda65 from merge request !5 fixed an input buffer overrun but at the same time caused the terminating NUL byte in the output buffer to be written too late, 2 bytes per placeholder. Fix the size calculation for correctness, and use the output index and not the output length to terminate the output string. Fixes #16, reported by Stefan Thurner. [All references for Gitlab.] | ||||
* | Rename s -> vecsiz (vector size) to hint to its purpose | Matthias Andree | 2020-03-29 | 1 | -4/+4 |
| | |||||
* | socket.c: Make SockKeepalive static, and readability variable renames. | Matthias Andree | 2019-09-27 | 1 | -9/+9 |
| | |||||
* | Align with legacy_6x. | Matthias Andree | 2019-08-25 | 1 | -4/+10 |
| | | | | | | * Normalize include order. * Backport missed bug fixes. * Remove dead code. | ||||
* | fetchmail no longer reports System error during SSL_connect(): Success. | Matthias Andree | 2019-08-05 | 1 | -3/+6 |
| | | | | Fixes Debian Bug#928916, reported by Paul Kimoto. | ||||
* | Bump copyrights, and bump version to beta6. | Matthias Andree | 2019-08-05 | 1 | -1/+4 |
| | |||||
* | FreeBSD cleanups to header shuffling. | Matthias Andree | 2019-08-05 | 1 | -4/+1 |
| | |||||
* | Replace most strncpy() by strlcpy() calls. | Matthias Andree | 2019-05-12 | 1 | -1/+1 |
| | |||||
* | Enable OpenSSL >= 1.0.2 native name verification. | Matthias Andree | 2019-01-27 | 1 | -0/+22 |
| | |||||
* | Make compatible with a pure OpenSSL 1.1.0 API, ... | Matthias Andree | 2018-06-06 | 1 | -1/+8 |
| | | | | | ...when deprecated functions are disabled, for instance, through -DOPENSSL_API_COMPAT=0x10100000L. | ||||
* | Add a FIXME comment. | Matthias Andree | 2017-08-11 | 1 | -0/+2 |
| | |||||
* | Do not overrun plugin string when copying it. | Alexander Bluhm | 2017-08-10 | 1 | -1/+1 |
| | | | | | | | | parse_plugin() expands the % in plugin string to plugin_copy. It checks that is does not write behind the end of the destination memory, but the source length was not checked. This resulted in reading from a possibly invalid memory location which may cause a segmentation fault. Add a check for the string length of the source. | ||||
* | Cast argument to quiet -Wformat warning in C89 mode. | Matthias Andree | 2017-04-23 | 1 | -1/+1 |
| | |||||
* | Reformat. | Matthias Andree | 2017-02-11 | 1 | -2/+2 |
| | |||||
* | TLS: set hostname for SNI. | Matthias Andree | 2017-02-11 | 1 | -0/+14 |
| | |||||
* | Initial TLSv1.3 support code. | Matthias Andree | 2017-02-11 | 1 | -1/+27 |
| | |||||
* | Fixup protocol version handling in OpenSSL 1.0.X. | Matthias Andree | 2016-12-12 | 1 | -0/+4 |
| | |||||
* | Support for Debian/Ubuntu mutilated SSLv3 support. | Matthias Andree | 2016-12-12 | 1 | -0/+4 |
| | | | | | | | | | | Ubuntu 16.04 LTS, in a misguided attempt to avoid SSLv3 without breaking the API, does not declare SSLv3 unsupported through the headers, so applications can only detect this situation at run-time. The symptom is that SSL_CTX_new errors out with SSL_R_NULL_SSL_METHOD_PASSED on the error stack, issue an additional note telling the user to select a newer version. | ||||
* | OpenSSL 1.1.0 API support. | Matthias Andree | 2016-12-12 | 1 | -4/+76 |
| | | | | | | | This avoids functions marked deprecated in OpenSSL 1.1.0. At the same time, warn about unsupported use of LibreSSL, and treat LibreSSL the same as OpenSSL 1.0.X WRT protocol version logic. | ||||
* | Refactor OpenSSL protocol version selection logic. | Matthias Andree | 2016-12-12 | 1 | -44/+54 |
| | |||||
* | Bump OpenSSL requirement to v1.0.2. | Matthias Andree | 2016-12-11 | 1 | -2/+2 |
| | |||||
* | Really try to continue if OpenSSL lib newer than headers used at compile-time. | Matthias Andree | 2016-04-24 | 1 | -1/+0 |
| | |||||
* | Enable TLS 1.1/1.2 options on LibreSSL. | Matthias Andree | 2016-04-24 | 1 | -2/+2 |
| | | | | LibreSSL does not provide a TLS_MAX_VERSION, so do not refer to it. | ||||
* | Avoid another C99-style comment. | Matthias Andree | 2016-01-30 | 1 | -3/+2 |
| | |||||
* | Avoid C99-style comment. | Matthias Andree | 2016-01-30 | 1 | -2/+1 |
| | |||||
* | Add OpenSSL version sanity checking. | Matthias Andree | 2016-01-30 | 1 | -1/+24 |
| | |||||
* | Support ssl3+ tls1.1, tls1.2 in --sslproto. Report TLS1.1/1.2 if unsupported ↵ | Matthias Andree | 2015-04-11 | 1 | -2/+19 |
| | | | | | | by OpenSSL. Uses TLS_MAX_VERSION checks against TLS1_1_VERSION or TLS1_2_VERSION. | ||||
* | Fix typo regarding SSL_OP_NO_SSLv3, and carry over one basic block from ↵ | Matthias Andree | 2015-04-11 | 1 | -2/+7 |
| | | | | master branch. |