[openssl-commits] [openssl] OpenSSL_1_0_1-stable update
The branch OpenSSL_1_0_1-stable has been updated via 968bccee468dc8edee4388fe661f761c5179aa70 (commit) via 604f67f52109383f6aefc7c5bf2befaf7182eb98 (commit) via a7316aace3871b637b8099a2efe30af38f988ad4 (commit) from 1967199f9f8ed3faf376ddbb077f41551541f08a (commit) - Log - commit 968bccee468dc8edee4388fe661f761c5179aa70 Author: Matt CaswellDate: Mon Nov 30 16:04:51 2015 + Add some documentation for the OCSP callback functions Describe the usage of the OCSP callback functions on both the client and the server side. Reviewed-by: Viktor Dukhovni (cherry picked from commit c52c3b5e11253afabaa62739a8ee1c4c4bddcd53) commit 604f67f52109383f6aefc7c5bf2befaf7182eb98 Author: Matt Caswell Date: Mon Nov 30 13:29:41 2015 + Ensure we don't call the OCSP callback if resuming a session It makes no sense to call the OCSP status callback if we are resuming a session because no certificates will be sent. Reviewed-by: Viktor Dukhovni (cherry picked from commit 0ac6239955965f58f9dddb4229e8cd58e0dba20d) commit a7316aace3871b637b8099a2efe30af38f988ad4 Author: Matt Caswell Date: Thu Nov 5 14:52:27 2015 + Fix error when server does not send CertificateStatus message If a server sends the status_request extension then it may choose to send the CertificateStatus message. However this is optional. We were treating it as mandatory and the connection was failing. Thanks to BoringSSL for reporting this issue. RT#4120 Reviewed-by: Viktor Dukhovni (cherry picked from commit 905943af3b43116b64ae815db1a6b9c2f15e0356) --- Summary of changes: doc/ssl/SSL_CTX_set_tlsext_status_cb.pod | 73 ssl/s3_clnt.c| 61 ++ ssl/t1_lib.c | 14 +++--- 3 files changed, 113 insertions(+), 35 deletions(-) create mode 100644 doc/ssl/SSL_CTX_set_tlsext_status_cb.pod diff --git a/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod new file mode 100644 index 000..b8147ba --- /dev/null +++ b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod @@ -0,0 +1,73 @@ +=pod + +=head1 NAME + +SSL_CTX_set_tlsext_status_cb, SSL_CTX_set_tlsext_status_arg, +SSL_set_tlsext_status_type, SSL_get_tlsext_status_ocsp_resp, +SSL_set_tlsext_status_ocsp_resp - OCSP Certificate Status Request functions + +=head1 SYNOPSIS + + #include + + long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx, + int (*callback)(SSL *, void *)); + long SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg); + + long SSL_set_tlsext_status_type(SSL *s, int type); + + long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp); + long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len); + +=head1 DESCRIPTION + +A client application may request that a server send back an OCSP status response +(also known as OCSP stapling). To do so the client should call the +SSL_set_tlsext_status_type() function prior to the start of the handshake. +Currently the only supported type is B. This value +should be passed in the B argument. The client should additionally provide +a callback function to decide what to do with the returned OCSP response by +calling SSL_CTX_set_tlsext_status_cb(). The callback function should determine +whether the returned OCSP response is acceptable or not. The callback will be +passed as an argument the value previously set via a call to +SSL_CTX_set_tlsext_status_arg(). Note that the callback will not be called in +the event of a handshake where session resumption occurs (because there are no +Certificates exchanged in such a handshake). + +The response returned by the server can be obtained via a call to +SSL_get_tlsext_status_ocsp_resp(). The value B<*resp> will be updated to point +to the OCSP response data and the return value will be the length of that data. +Typically a callback would obtain an OCSP_RESPONSE object from this data via a +call to the d2i_OCSP_RESPONSE() function. If the server has not provided any +response data then B<*resp> will be NULL and the return value from +SSL_get_tlsext_status_ocsp_resp() will be -1. + +A server application must also call the SSL_CTX_set_tlsext_status_cb() function +if it wants to be able to provide clients with OCSP Certificate Status +responses. Typically the server callback would obtain the server certificate +that is being sent back to the client via a call to SSL_get_certificate(); +obtain the OCSP response to be sent back; and then set that response data by +calling SSL_set_tlsext_status_ocsp_resp(). A pointer to the response data should +be
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via c52c3b5e11253afabaa62739a8ee1c4c4bddcd53 (commit) via 0ac6239955965f58f9dddb4229e8cd58e0dba20d (commit) via 905943af3b43116b64ae815db1a6b9c2f15e0356 (commit) from 155a1623d005297626008efb4f71714dd023de25 (commit) - Log - commit c52c3b5e11253afabaa62739a8ee1c4c4bddcd53 Author: Matt CaswellDate: Mon Nov 30 16:04:51 2015 + Add some documentation for the OCSP callback functions Describe the usage of the OCSP callback functions on both the client and the server side. Reviewed-by: Viktor Dukhovni commit 0ac6239955965f58f9dddb4229e8cd58e0dba20d Author: Matt Caswell Date: Mon Nov 30 13:29:41 2015 + Ensure we don't call the OCSP callback if resuming a session It makes no sense to call the OCSP status callback if we are resuming a session because no certificates will be sent. Reviewed-by: Viktor Dukhovni commit 905943af3b43116b64ae815db1a6b9c2f15e0356 Author: Matt Caswell Date: Thu Nov 5 14:52:27 2015 + Fix error when server does not send CertificateStatus message If a server sends the status_request extension then it may choose to send the CertificateStatus message. However this is optional. We were treating it as mandatory and the connection was failing. Thanks to BoringSSL for reporting this issue. RT#4120 Reviewed-by: Viktor Dukhovni --- Summary of changes: doc/ssl/SSL_CTX_set_tlsext_status_cb.pod | 73 ssl/s3_clnt.c| 61 ++ ssl/t1_lib.c | 14 +++--- 3 files changed, 113 insertions(+), 35 deletions(-) create mode 100644 doc/ssl/SSL_CTX_set_tlsext_status_cb.pod diff --git a/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod new file mode 100644 index 000..b8147ba --- /dev/null +++ b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod @@ -0,0 +1,73 @@ +=pod + +=head1 NAME + +SSL_CTX_set_tlsext_status_cb, SSL_CTX_set_tlsext_status_arg, +SSL_set_tlsext_status_type, SSL_get_tlsext_status_ocsp_resp, +SSL_set_tlsext_status_ocsp_resp - OCSP Certificate Status Request functions + +=head1 SYNOPSIS + + #include + + long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx, + int (*callback)(SSL *, void *)); + long SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg); + + long SSL_set_tlsext_status_type(SSL *s, int type); + + long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp); + long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len); + +=head1 DESCRIPTION + +A client application may request that a server send back an OCSP status response +(also known as OCSP stapling). To do so the client should call the +SSL_set_tlsext_status_type() function prior to the start of the handshake. +Currently the only supported type is B. This value +should be passed in the B argument. The client should additionally provide +a callback function to decide what to do with the returned OCSP response by +calling SSL_CTX_set_tlsext_status_cb(). The callback function should determine +whether the returned OCSP response is acceptable or not. The callback will be +passed as an argument the value previously set via a call to +SSL_CTX_set_tlsext_status_arg(). Note that the callback will not be called in +the event of a handshake where session resumption occurs (because there are no +Certificates exchanged in such a handshake). + +The response returned by the server can be obtained via a call to +SSL_get_tlsext_status_ocsp_resp(). The value B<*resp> will be updated to point +to the OCSP response data and the return value will be the length of that data. +Typically a callback would obtain an OCSP_RESPONSE object from this data via a +call to the d2i_OCSP_RESPONSE() function. If the server has not provided any +response data then B<*resp> will be NULL and the return value from +SSL_get_tlsext_status_ocsp_resp() will be -1. + +A server application must also call the SSL_CTX_set_tlsext_status_cb() function +if it wants to be able to provide clients with OCSP Certificate Status +responses. Typically the server callback would obtain the server certificate +that is being sent back to the client via a call to SSL_get_certificate(); +obtain the OCSP response to be sent back; and then set that response data by +calling SSL_set_tlsext_status_ocsp_resp(). A pointer to the response data should +be provided in the B argument, and the length of that data should be in +the B argument. + +=head1 RETURN VALUES + +The callback when used on the client side should return a negative value on +error; 0 if the response is
[openssl-commits] [openssl] master update
The branch master has been updated via b1931d432f4b53ceb2e2eacec09c2e32e043830b (commit) via 43c34894d703e3e5c2fc03bad3a78a1cf10d8ba5 (commit) via 80e339fd09ca32680e0c0cbcfa40d73212ea276d (commit) via bb1aaab42880489729aeafea27d3569cce60c20b (commit) via ef96e4a28fa98cdf44246baab9ec8cdb69914fd9 (commit) from b22d71131aa01d371029908e3c2bce332fd77e70 (commit) - Log - commit b1931d432f4b53ceb2e2eacec09c2e32e043830b Author: Matt CaswellDate: Thu Dec 10 10:44:30 2015 + Simplify calling of the OCSP callback Move all calls of the OCSP callback into one place, rather than repeating it in two different places. Reviewed-by: Viktor Dukhovni commit 43c34894d703e3e5c2fc03bad3a78a1cf10d8ba5 Author: Matt Caswell Date: Mon Nov 30 16:04:51 2015 + Add some documentation for the OCSP callback functions Describe the usage of the OCSP callback functions on both the client and the server side. Reviewed-by: Viktor Dukhovni commit 80e339fd09ca32680e0c0cbcfa40d73212ea276d Author: Matt Caswell Date: Mon Nov 30 13:29:41 2015 + Ensure we don't call the OCSP callback if resuming a session It makes no sense to call the OCSP status callback if we are resuming a session because no certificates will be sent. Reviewed-by: Viktor Dukhovni commit bb1aaab42880489729aeafea27d3569cce60c20b Author: Matt Caswell Date: Thu Nov 5 14:31:11 2015 + Fix error when server does not send CertificateStatus message If a server sends the status_request extension then it may choose to send the CertificateStatus message. However this is optional. We were treating it as mandatory and the connection was failing. Thanks to BoringSSL for reporting this issue. RT#4120 Reviewed-by: Viktor Dukhovni commit ef96e4a28fa98cdf44246baab9ec8cdb69914fd9 Author: Matt Caswell Date: Thu Nov 5 14:08:54 2015 + Add test for missing CertificateStatus message If the client sends a status_request extension in the ClientHello and the server responds with a status_request extension in the ServerHello then normally the server will also later send a CertificateStatus message. However this message is *optional* even if the extensions were sent. This adds a test to ensure that if the extensions are sent then we can still omit the message. Reviewed-by: Viktor Dukhovni --- Summary of changes: doc/ssl/SSL_CTX_set_tlsext_status_cb.pod | 73 ++ ssl/statem/statem_clnt.c | 50 --- ssl/t1_lib.c | 27 ++-- ...test_sslskewith0p.t => 70-test_sslcertstatus.t} | 33 +- util/TLSProxy/ClientHello.pm | 1 + 5 files changed, 123 insertions(+), 61 deletions(-) create mode 100644 doc/ssl/SSL_CTX_set_tlsext_status_cb.pod copy test/recipes/{70-test_sslskewith0p.t => 70-test_sslcertstatus.t} (80%) diff --git a/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod new file mode 100644 index 000..b8147ba --- /dev/null +++ b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod @@ -0,0 +1,73 @@ +=pod + +=head1 NAME + +SSL_CTX_set_tlsext_status_cb, SSL_CTX_set_tlsext_status_arg, +SSL_set_tlsext_status_type, SSL_get_tlsext_status_ocsp_resp, +SSL_set_tlsext_status_ocsp_resp - OCSP Certificate Status Request functions + +=head1 SYNOPSIS + + #include + + long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx, + int (*callback)(SSL *, void *)); + long SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg); + + long SSL_set_tlsext_status_type(SSL *s, int type); + + long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp); + long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len); + +=head1 DESCRIPTION + +A client application may request that a server send back an OCSP status response +(also known as OCSP stapling). To do so the client should call the +SSL_set_tlsext_status_type() function prior to the start of the handshake. +Currently the only supported type is B. This value +should be passed in the B argument. The client should additionally provide +a callback function to decide what to do with the returned OCSP response by +calling SSL_CTX_set_tlsext_status_cb(). The callback function should determine +whether the returned OCSP response is acceptable or not. The callback will be +passed as an argument the value previously set via a call to +SSL_CTX_set_tlsext_status_arg(). Note that the callback will not be called in +the
[openssl-commits] [openssl] master update
The branch master has been updated via 057b6f797d89964892620fe9980a1ca6872a771f (commit) from b1931d432f4b53ceb2e2eacec09c2e32e043830b (commit) - Log - commit 057b6f797d89964892620fe9980a1ca6872a771f Author: Matt CaswellDate: Wed Dec 23 16:36:59 2015 + Increase the max size limit for a CertificateRequest message Previous versions of OpenSSL had the max size limit for a CertificateRequest message as |s->max_cert_list|. Previously master had it to be SSL3_RT_MAX_PLAIN_LENGTH. However these messages can get quite long if a server is configured with a long list of acceptable CA names. Therefore the size limit has been increased to be consistent with previous versions. RT#4198 Reviewed-by: Viktor Dukhovni --- Summary of changes: ssl/statem/statem_clnt.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index b14e6ed..536689b 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -696,7 +696,11 @@ unsigned long ossl_statem_client_max_message_size(SSL *s) return SERVER_KEY_EXCH_MAX_LENGTH; case TLS_ST_CR_CERT_REQ: -return SSL3_RT_MAX_PLAIN_LENGTH; +/* Set to s->max_cert_list for compatibility with previous releases. + * In practice these messages can get quite long if servers are + * configured to provide a long list of acceptable CAs + */ +return s->max_cert_list; case TLS_ST_CR_SRVR_DONE: return SERVER_HELLO_DONE_MAX_LENGTH; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits