14d0a95492
Accepting request 893363 from security:tls:unstable
Jason Sikes
2021-05-17 22:28:37 +00:00
2830ba6131
Accepting request 893363 from security:tls:unstable
Jason Sikes
2021-05-17 22:28:37 +00:00
845a4614ec
Accepting request 873726 from security:tls:unstable
Jason Sikes
2021-02-22 15:21:06 +00:00
fc84692df0
Accepting request 873726 from security:tls:unstable
Jason Sikes
2021-02-22 15:21:06 +00:00
12a74bf19d
- Update to 3.0.0 Alpha 9 * See also https://www.openssl.org/news/changelog.html * Deprecated all the libcrypto and libssl error string loading functions. Calling these functions is not necessary since OpenSSL 1.1.0, as OpenSSL now loads error strings automatically. * The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been deprecated. These are used to set the Diffie-Hellman (DH) parameters that are to be used by servers requiring ephemeral DH keys. Instead applications should consider using the built-in DH parameters that are available by calling SSL_CTX_set_dh_auto() or SSL_set_dh_auto(). * The -crypt option to the passwd command line tool has been removed. * The -C option to the x509, dhparam, dsaparam, and ecparam commands has been removed. * Added several checks to X509_verify_cert() according to requirements in RFC 5280 in case 'X509_V_FLAG_X509_STRICT' is set (which may be done by using the CLI option '-x509_strict'): - The basicConstraints of CA certificates must be marked critical. - CA certificates must explicitly include the keyUsage extension. - If a pathlenConstraint is given the key usage keyCertSign must be allowed. - The issuer name of any certificate must not be empty. - The subject name of CA certs, certs with keyUsage crlSign, and certs without subjectAlternativeName must not be empty. - If a subjectAlternativeName extension is given it must not be empty. - The signatureAlgorithm field and the cert signature must be consistent. - Any given authorityKeyIdentifier and any given subjectKeyIdentifier must not be marked critical. - The authorityKeyIdentifier must be given for X.509v3 certs unless they are self-signed. - The subjectKeyIdentifier must be given for all X.509v3 CA certs.
Pedro Monreal Gonzalez2020-12-17 11:11:02 +00:00
037d3fe84f
- Update to 3.0.0 Alpha 9 * See also https://www.openssl.org/news/changelog.html * Deprecated all the libcrypto and libssl error string loading functions. Calling these functions is not necessary since OpenSSL 1.1.0, as OpenSSL now loads error strings automatically. * The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been deprecated. These are used to set the Diffie-Hellman (DH) parameters that are to be used by servers requiring ephemeral DH keys. Instead applications should consider using the built-in DH parameters that are available by calling SSL_CTX_set_dh_auto() or SSL_set_dh_auto(). * The -crypt option to the passwd command line tool has been removed. * The -C option to the x509, dhparam, dsaparam, and ecparam commands has been removed. * Added several checks to X509_verify_cert() according to requirements in RFC 5280 in case 'X509_V_FLAG_X509_STRICT' is set (which may be done by using the CLI option '-x509_strict'): - The basicConstraints of CA certificates must be marked critical. - CA certificates must explicitly include the keyUsage extension. - If a pathlenConstraint is given the key usage keyCertSign must be allowed. - The issuer name of any certificate must not be empty. - The subject name of CA certs, certs with keyUsage crlSign, and certs without subjectAlternativeName must not be empty. - If a subjectAlternativeName extension is given it must not be empty. - The signatureAlgorithm field and the cert signature must be consistent. - Any given authorityKeyIdentifier and any given subjectKeyIdentifier must not be marked critical. - The authorityKeyIdentifier must be given for X.509v3 certs unless they are self-signed. - The subjectKeyIdentifier must be given for all X.509v3 CA certs.
Pedro Monreal Gonzalez2020-12-17 11:11:02 +00:00
2e0715fa85
Accepting request 826265 from home:pmonrealgonzalez:branches:security:tls
Tomáš Chvátal
2020-08-13 20:20:33 +00:00
2d441cd663
Accepting request 826265 from home:pmonrealgonzalez:branches:security:tls
Tomáš Chvátal
2020-08-13 20:20:33 +00:00
bd5704df62
- Fix linking when the deprecated SSL_get_per_certificate() is in use * https://github.com/openssl/openssl/pull/12468 * add 0001-Fix-typo-for-SSL_get_peer_certificate.patch
Vítězslav Čížek
2020-07-20 09:26:52 +00:00
bda45a31f3
- Fix linking when the deprecated SSL_get_per_certificate() is in use * https://github.com/openssl/openssl/pull/12468 * add 0001-Fix-typo-for-SSL_get_peer_certificate.patch
Vítězslav Čížek
2020-07-20 09:26:52 +00:00
55e8b0c8a6
Accepting request 821489 from home:pmonrealgonzalez:branches:security:tls
Tomáš Chvátal
2020-07-17 11:26:23 +00:00
0a9d203a57
Accepting request 821489 from home:pmonrealgonzalez:branches:security:tls
Tomáš Chvátal
2020-07-17 11:26:23 +00:00
f2d4c63e3b
Accepting request 817891 from home:vitezslav_cizek:branches:security:tls
Tomáš Chvátal
2020-07-01 07:09:05 +00:00
18e44c466b
Accepting request 817891 from home:vitezslav_cizek:branches:security:tls
Tomáš Chvátal
2020-07-01 07:09:05 +00:00
Otto Hollmann
Dominique Leuenberger
Martin Pluskal
Pedro Monreal Gonzalez
Richard Brown
Jason Sikes
Tomáš Chvátal
Vítězslav Čížek