#
1.64 |
|
29-Dec-2023 |
tb |
Garbage collect the last users of SSL_set_debug(3)
This undocumented, incomplete public function has never done anything useful. It will be removed from libssl. Removing it from openssl(1) clears the way for this.
ok jsing
|
#
1.63 |
|
29-Dec-2023 |
tb |
s_client: pause hasn't worked in ages. Just ignore it
ok jsing
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.62 |
|
03-Jul-2023 |
beck |
Bring back no_tls1 and no_tls1_1 as undocumented silently discarded opitons
While I'm here, change the no_ssl2 and no_ssl3 options to use OPTION_DISCARD as well instead of continuing to set a no-op option flag.
ok jsing@ tb@
|
#
1.61 |
|
03-Jul-2023 |
beck |
Remove the tls1.0 and 1.1 related options from the openssl(1) toolkit
ok tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.60 |
|
06-Mar-2023 |
tb |
Rename struct ${app}_config to plain cfg
All the structs are static and we need to reach into them many times. Having a shorter name is more concise and results in less visual clutter. It also avoids many overlong lines and we will be able to get rid of some unfortunate line wrapping down the road.
Discussed with jsing
|
#
1.59 |
|
11-Nov-2022 |
joshua |
Remove the legacy interactive mode from openssl(1).
This removes the legacy interactive mode from openssl(1) since it is rarely used, complicates the code, and has also been removed from OpenSSL in version 3.x.x.
ok tb@ jsing@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.58 |
|
03-Feb-2022 |
tb |
Use X509_*get0_pubkey() wherever possible to simplify and clean up the code. Also add error checking where possible.
ok jsing
|
#
1.57 |
|
26-Dec-2021 |
jsing |
Attempt to opportunistically use the host name for SNI in s_client.
ok beck@ inoguchi@ tb@
|
#
1.56 |
|
25-Oct-2021 |
jca |
Garbage collect another unused variable.
Spotted by egcc and probably clang 13. ok tb@
|
#
1.55 |
|
22-Oct-2021 |
tb |
Garbage collect an unused variable.
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.54 |
|
17-Mar-2021 |
jsing |
Read ahead is now enforced for DTLS - remove workarounds.
ok inoguchi@ tb@
|
#
1.53 |
|
17-Mar-2021 |
jsing |
Add DTLSv1.2 support to openssl(1) s_client/s_server.
ok inoguchi@ tb@
|
#
1.52 |
|
14-Oct-2020 |
tb |
Free peekaboo pbuf at end of s_client_main()
Otherwise each run of the s_client leaks 16k of memory. This hurts in interactive mode.
ok inoguchi jsing
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.51 |
|
10-Jul-2020 |
inoguchi |
Clean up s_client.c
- Remove space between '*' and pointer variable. - Add function prototype. - Move callback function to bottom. - Move typedef struct to up.
|
#
1.50 |
|
10-Jul-2020 |
inoguchi |
Change variable bio_c_out from global to local
ok tb@
|
#
1.49 |
|
09-Jul-2020 |
inoguchi |
Wrap long lines and put space in front of label in s_client.c
|
#
1.48 |
|
09-Jul-2020 |
inoguchi |
Remove c_ prefix from s_client_config member
|
#
1.47 |
|
09-Jul-2020 |
inoguchi |
Convert openssl(1) s_client option handling
suggestions and ok beck@ jsing@ tb@
|
#
1.46 |
|
23-May-2020 |
tb |
In ssl_lib.c revision 1.217, jsing enabled SSL_MODE_AUTO_RETRY by default. To avoid hanging on a blocking read, we need to clear the SSL_MODE_AUTO_RETRY flag in the s_client and the s_server.
ok beck inoguchi jsing
|
#
1.45 |
|
22-May-2020 |
deraadt |
sockaddr should be sockaddr_storage, otherwise "openssl s_client -6 -dtls1" (gurn) copies getsockname() retrieves a truncated result and 14 bytes of stack garbage get copied onwards. ok tb
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.44 |
|
26-Apr-2020 |
inoguchi |
s_client: fix use of possibly uninitialized values
Set initial value to variable 'p' and 'pending'.
Reported and fix requested from leonklingele by GitHub pull request. https://github.com/libressl-portable/portable/issues/577 https://github.com/libressl-portable/openbsd/pull/114
ok bcook@ jsing@ tb@
|
#
1.43 |
|
19-Apr-2020 |
jsing |
Add -groups option to openssl(1) s_server.
This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead.
ok beck@ inoguchi@
|
#
1.42 |
|
16-Feb-2020 |
jsing |
Add -tls1_3 and -notls1_3 options to openssl(1) s_client.
Also stop using version pinned methods, instead setting the min and max protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
|
#
1.41 |
|
23-Jan-2020 |
beck |
Make -peekaboo mode also use SSL_pending after peeking, to ensure SSL_pending implementation is correct.
annoying jsing@
|
#
1.40 |
|
22-Jan-2020 |
jsing |
Simplify the peekaboo code.
ok beck@
|
#
1.39 |
|
22-Jan-2020 |
beck |
Add -peekaboo option to s_client, to test SSL_peek peeks data before reading, compares to subsequent read.
ok jsing@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.38 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.62 |
|
03-Jul-2023 |
beck |
Bring back no_tls1 and no_tls1_1 as undocumented silently discarded opitons
While I'm here, change the no_ssl2 and no_ssl3 options to use OPTION_DISCARD as well instead of continuing to set a no-op option flag.
ok jsing@ tb@
|
#
1.61 |
|
03-Jul-2023 |
beck |
Remove the tls1.0 and 1.1 related options from the openssl(1) toolkit
ok tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.60 |
|
06-Mar-2023 |
tb |
Rename struct ${app}_config to plain cfg
All the structs are static and we need to reach into them many times. Having a shorter name is more concise and results in less visual clutter. It also avoids many overlong lines and we will be able to get rid of some unfortunate line wrapping down the road.
Discussed with jsing
|
#
1.59 |
|
11-Nov-2022 |
joshua |
Remove the legacy interactive mode from openssl(1).
This removes the legacy interactive mode from openssl(1) since it is rarely used, complicates the code, and has also been removed from OpenSSL in version 3.x.x.
ok tb@ jsing@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.58 |
|
03-Feb-2022 |
tb |
Use X509_*get0_pubkey() wherever possible to simplify and clean up the code. Also add error checking where possible.
ok jsing
|
#
1.57 |
|
26-Dec-2021 |
jsing |
Attempt to opportunistically use the host name for SNI in s_client.
ok beck@ inoguchi@ tb@
|
#
1.56 |
|
25-Oct-2021 |
jca |
Garbage collect another unused variable.
Spotted by egcc and probably clang 13. ok tb@
|
#
1.55 |
|
22-Oct-2021 |
tb |
Garbage collect an unused variable.
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.54 |
|
17-Mar-2021 |
jsing |
Read ahead is now enforced for DTLS - remove workarounds.
ok inoguchi@ tb@
|
#
1.53 |
|
17-Mar-2021 |
jsing |
Add DTLSv1.2 support to openssl(1) s_client/s_server.
ok inoguchi@ tb@
|
#
1.52 |
|
14-Oct-2020 |
tb |
Free peekaboo pbuf at end of s_client_main()
Otherwise each run of the s_client leaks 16k of memory. This hurts in interactive mode.
ok inoguchi jsing
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.51 |
|
10-Jul-2020 |
inoguchi |
Clean up s_client.c
- Remove space between '*' and pointer variable. - Add function prototype. - Move callback function to bottom. - Move typedef struct to up.
|
#
1.50 |
|
10-Jul-2020 |
inoguchi |
Change variable bio_c_out from global to local
ok tb@
|
#
1.49 |
|
09-Jul-2020 |
inoguchi |
Wrap long lines and put space in front of label in s_client.c
|
#
1.48 |
|
09-Jul-2020 |
inoguchi |
Remove c_ prefix from s_client_config member
|
#
1.47 |
|
09-Jul-2020 |
inoguchi |
Convert openssl(1) s_client option handling
suggestions and ok beck@ jsing@ tb@
|
#
1.46 |
|
23-May-2020 |
tb |
In ssl_lib.c revision 1.217, jsing enabled SSL_MODE_AUTO_RETRY by default. To avoid hanging on a blocking read, we need to clear the SSL_MODE_AUTO_RETRY flag in the s_client and the s_server.
ok beck inoguchi jsing
|
#
1.45 |
|
22-May-2020 |
deraadt |
sockaddr should be sockaddr_storage, otherwise "openssl s_client -6 -dtls1" (gurn) copies getsockname() retrieves a truncated result and 14 bytes of stack garbage get copied onwards. ok tb
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.44 |
|
26-Apr-2020 |
inoguchi |
s_client: fix use of possibly uninitialized values
Set initial value to variable 'p' and 'pending'.
Reported and fix requested from leonklingele by GitHub pull request. https://github.com/libressl-portable/portable/issues/577 https://github.com/libressl-portable/openbsd/pull/114
ok bcook@ jsing@ tb@
|
#
1.43 |
|
19-Apr-2020 |
jsing |
Add -groups option to openssl(1) s_server.
This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead.
ok beck@ inoguchi@
|
#
1.42 |
|
16-Feb-2020 |
jsing |
Add -tls1_3 and -notls1_3 options to openssl(1) s_client.
Also stop using version pinned methods, instead setting the min and max protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
|
#
1.41 |
|
23-Jan-2020 |
beck |
Make -peekaboo mode also use SSL_pending after peeking, to ensure SSL_pending implementation is correct.
annoying jsing@
|
#
1.40 |
|
22-Jan-2020 |
jsing |
Simplify the peekaboo code.
ok beck@
|
#
1.39 |
|
22-Jan-2020 |
beck |
Add -peekaboo option to s_client, to test SSL_peek peeks data before reading, compares to subsequent read.
ok jsing@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.38 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.60 |
|
06-Mar-2023 |
tb |
Rename struct ${app}_config to plain cfg
All the structs are static and we need to reach into them many times. Having a shorter name is more concise and results in less visual clutter. It also avoids many overlong lines and we will be able to get rid of some unfortunate line wrapping down the road.
Discussed with jsing
|
#
1.59 |
|
11-Nov-2022 |
joshua |
Remove the legacy interactive mode from openssl(1).
This removes the legacy interactive mode from openssl(1) since it is rarely used, complicates the code, and has also been removed from OpenSSL in version 3.x.x.
ok tb@ jsing@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.58 |
|
03-Feb-2022 |
tb |
Use X509_*get0_pubkey() wherever possible to simplify and clean up the code. Also add error checking where possible.
ok jsing
|
#
1.57 |
|
26-Dec-2021 |
jsing |
Attempt to opportunistically use the host name for SNI in s_client.
ok beck@ inoguchi@ tb@
|
#
1.56 |
|
25-Oct-2021 |
jca |
Garbage collect another unused variable.
Spotted by egcc and probably clang 13. ok tb@
|
#
1.55 |
|
22-Oct-2021 |
tb |
Garbage collect an unused variable.
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.54 |
|
17-Mar-2021 |
jsing |
Read ahead is now enforced for DTLS - remove workarounds.
ok inoguchi@ tb@
|
#
1.53 |
|
17-Mar-2021 |
jsing |
Add DTLSv1.2 support to openssl(1) s_client/s_server.
ok inoguchi@ tb@
|
#
1.52 |
|
14-Oct-2020 |
tb |
Free peekaboo pbuf at end of s_client_main()
Otherwise each run of the s_client leaks 16k of memory. This hurts in interactive mode.
ok inoguchi jsing
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.51 |
|
10-Jul-2020 |
inoguchi |
Clean up s_client.c
- Remove space between '*' and pointer variable. - Add function prototype. - Move callback function to bottom. - Move typedef struct to up.
|
#
1.50 |
|
10-Jul-2020 |
inoguchi |
Change variable bio_c_out from global to local
ok tb@
|
#
1.49 |
|
09-Jul-2020 |
inoguchi |
Wrap long lines and put space in front of label in s_client.c
|
#
1.48 |
|
09-Jul-2020 |
inoguchi |
Remove c_ prefix from s_client_config member
|
#
1.47 |
|
09-Jul-2020 |
inoguchi |
Convert openssl(1) s_client option handling
suggestions and ok beck@ jsing@ tb@
|
#
1.46 |
|
23-May-2020 |
tb |
In ssl_lib.c revision 1.217, jsing enabled SSL_MODE_AUTO_RETRY by default. To avoid hanging on a blocking read, we need to clear the SSL_MODE_AUTO_RETRY flag in the s_client and the s_server.
ok beck inoguchi jsing
|
#
1.45 |
|
22-May-2020 |
deraadt |
sockaddr should be sockaddr_storage, otherwise "openssl s_client -6 -dtls1" (gurn) copies getsockname() retrieves a truncated result and 14 bytes of stack garbage get copied onwards. ok tb
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.44 |
|
26-Apr-2020 |
inoguchi |
s_client: fix use of possibly uninitialized values
Set initial value to variable 'p' and 'pending'.
Reported and fix requested from leonklingele by GitHub pull request. https://github.com/libressl-portable/portable/issues/577 https://github.com/libressl-portable/openbsd/pull/114
ok bcook@ jsing@ tb@
|
#
1.43 |
|
19-Apr-2020 |
jsing |
Add -groups option to openssl(1) s_server.
This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead.
ok beck@ inoguchi@
|
#
1.42 |
|
16-Feb-2020 |
jsing |
Add -tls1_3 and -notls1_3 options to openssl(1) s_client.
Also stop using version pinned methods, instead setting the min and max protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
|
#
1.41 |
|
23-Jan-2020 |
beck |
Make -peekaboo mode also use SSL_pending after peeking, to ensure SSL_pending implementation is correct.
annoying jsing@
|
#
1.40 |
|
22-Jan-2020 |
jsing |
Simplify the peekaboo code.
ok beck@
|
#
1.39 |
|
22-Jan-2020 |
beck |
Add -peekaboo option to s_client, to test SSL_peek peeks data before reading, compares to subsequent read.
ok jsing@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.38 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.59 |
|
11-Nov-2022 |
joshua |
Remove the legacy interactive mode from openssl(1).
This removes the legacy interactive mode from openssl(1) since it is rarely used, complicates the code, and has also been removed from OpenSSL in version 3.x.x.
ok tb@ jsing@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.58 |
|
03-Feb-2022 |
tb |
Use X509_*get0_pubkey() wherever possible to simplify and clean up the code. Also add error checking where possible.
ok jsing
|
#
1.57 |
|
26-Dec-2021 |
jsing |
Attempt to opportunistically use the host name for SNI in s_client.
ok beck@ inoguchi@ tb@
|
#
1.56 |
|
25-Oct-2021 |
jca |
Garbage collect another unused variable.
Spotted by egcc and probably clang 13. ok tb@
|
#
1.55 |
|
22-Oct-2021 |
tb |
Garbage collect an unused variable.
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.54 |
|
17-Mar-2021 |
jsing |
Read ahead is now enforced for DTLS - remove workarounds.
ok inoguchi@ tb@
|
#
1.53 |
|
17-Mar-2021 |
jsing |
Add DTLSv1.2 support to openssl(1) s_client/s_server.
ok inoguchi@ tb@
|
#
1.52 |
|
14-Oct-2020 |
tb |
Free peekaboo pbuf at end of s_client_main()
Otherwise each run of the s_client leaks 16k of memory. This hurts in interactive mode.
ok inoguchi jsing
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.51 |
|
10-Jul-2020 |
inoguchi |
Clean up s_client.c
- Remove space between '*' and pointer variable. - Add function prototype. - Move callback function to bottom. - Move typedef struct to up.
|
#
1.50 |
|
10-Jul-2020 |
inoguchi |
Change variable bio_c_out from global to local
ok tb@
|
#
1.49 |
|
09-Jul-2020 |
inoguchi |
Wrap long lines and put space in front of label in s_client.c
|
#
1.48 |
|
09-Jul-2020 |
inoguchi |
Remove c_ prefix from s_client_config member
|
#
1.47 |
|
09-Jul-2020 |
inoguchi |
Convert openssl(1) s_client option handling
suggestions and ok beck@ jsing@ tb@
|
#
1.46 |
|
23-May-2020 |
tb |
In ssl_lib.c revision 1.217, jsing enabled SSL_MODE_AUTO_RETRY by default. To avoid hanging on a blocking read, we need to clear the SSL_MODE_AUTO_RETRY flag in the s_client and the s_server.
ok beck inoguchi jsing
|
#
1.45 |
|
22-May-2020 |
deraadt |
sockaddr should be sockaddr_storage, otherwise "openssl s_client -6 -dtls1" (gurn) copies getsockname() retrieves a truncated result and 14 bytes of stack garbage get copied onwards. ok tb
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.44 |
|
26-Apr-2020 |
inoguchi |
s_client: fix use of possibly uninitialized values
Set initial value to variable 'p' and 'pending'.
Reported and fix requested from leonklingele by GitHub pull request. https://github.com/libressl-portable/portable/issues/577 https://github.com/libressl-portable/openbsd/pull/114
ok bcook@ jsing@ tb@
|
#
1.43 |
|
19-Apr-2020 |
jsing |
Add -groups option to openssl(1) s_server.
This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead.
ok beck@ inoguchi@
|
#
1.42 |
|
16-Feb-2020 |
jsing |
Add -tls1_3 and -notls1_3 options to openssl(1) s_client.
Also stop using version pinned methods, instead setting the min and max protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
|
#
1.41 |
|
23-Jan-2020 |
beck |
Make -peekaboo mode also use SSL_pending after peeking, to ensure SSL_pending implementation is correct.
annoying jsing@
|
#
1.40 |
|
22-Jan-2020 |
jsing |
Simplify the peekaboo code.
ok beck@
|
#
1.39 |
|
22-Jan-2020 |
beck |
Add -peekaboo option to s_client, to test SSL_peek peeks data before reading, compares to subsequent read.
ok jsing@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.38 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.58 |
|
03-Feb-2022 |
tb |
Use X509_*get0_pubkey() wherever possible to simplify and clean up the code. Also add error checking where possible.
ok jsing
|
#
1.57 |
|
26-Dec-2021 |
jsing |
Attempt to opportunistically use the host name for SNI in s_client.
ok beck@ inoguchi@ tb@
|
#
1.56 |
|
25-Oct-2021 |
jca |
Garbage collect another unused variable.
Spotted by egcc and probably clang 13. ok tb@
|
#
1.55 |
|
22-Oct-2021 |
tb |
Garbage collect an unused variable.
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.54 |
|
17-Mar-2021 |
jsing |
Read ahead is now enforced for DTLS - remove workarounds.
ok inoguchi@ tb@
|
#
1.53 |
|
17-Mar-2021 |
jsing |
Add DTLSv1.2 support to openssl(1) s_client/s_server.
ok inoguchi@ tb@
|
#
1.52 |
|
14-Oct-2020 |
tb |
Free peekaboo pbuf at end of s_client_main()
Otherwise each run of the s_client leaks 16k of memory. This hurts in interactive mode.
ok inoguchi jsing
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.51 |
|
10-Jul-2020 |
inoguchi |
Clean up s_client.c
- Remove space between '*' and pointer variable. - Add function prototype. - Move callback function to bottom. - Move typedef struct to up.
|
#
1.50 |
|
10-Jul-2020 |
inoguchi |
Change variable bio_c_out from global to local
ok tb@
|
#
1.49 |
|
09-Jul-2020 |
inoguchi |
Wrap long lines and put space in front of label in s_client.c
|
#
1.48 |
|
09-Jul-2020 |
inoguchi |
Remove c_ prefix from s_client_config member
|
#
1.47 |
|
09-Jul-2020 |
inoguchi |
Convert openssl(1) s_client option handling
suggestions and ok beck@ jsing@ tb@
|
#
1.46 |
|
23-May-2020 |
tb |
In ssl_lib.c revision 1.217, jsing enabled SSL_MODE_AUTO_RETRY by default. To avoid hanging on a blocking read, we need to clear the SSL_MODE_AUTO_RETRY flag in the s_client and the s_server.
ok beck inoguchi jsing
|
#
1.45 |
|
22-May-2020 |
deraadt |
sockaddr should be sockaddr_storage, otherwise "openssl s_client -6 -dtls1" (gurn) copies getsockname() retrieves a truncated result and 14 bytes of stack garbage get copied onwards. ok tb
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.44 |
|
26-Apr-2020 |
inoguchi |
s_client: fix use of possibly uninitialized values
Set initial value to variable 'p' and 'pending'.
Reported and fix requested from leonklingele by GitHub pull request. https://github.com/libressl-portable/portable/issues/577 https://github.com/libressl-portable/openbsd/pull/114
ok bcook@ jsing@ tb@
|
#
1.43 |
|
19-Apr-2020 |
jsing |
Add -groups option to openssl(1) s_server.
This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead.
ok beck@ inoguchi@
|
#
1.42 |
|
16-Feb-2020 |
jsing |
Add -tls1_3 and -notls1_3 options to openssl(1) s_client.
Also stop using version pinned methods, instead setting the min and max protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
|
#
1.41 |
|
23-Jan-2020 |
beck |
Make -peekaboo mode also use SSL_pending after peeking, to ensure SSL_pending implementation is correct.
annoying jsing@
|
#
1.40 |
|
22-Jan-2020 |
jsing |
Simplify the peekaboo code.
ok beck@
|
#
1.39 |
|
22-Jan-2020 |
beck |
Add -peekaboo option to s_client, to test SSL_peek peeks data before reading, compares to subsequent read.
ok jsing@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.38 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.57 |
|
26-Dec-2021 |
jsing |
Attempt to opportunistically use the host name for SNI in s_client.
ok beck@ inoguchi@ tb@
|
#
1.56 |
|
25-Oct-2021 |
jca |
Garbage collect another unused variable.
Spotted by egcc and probably clang 13. ok tb@
|
#
1.55 |
|
22-Oct-2021 |
tb |
Garbage collect an unused variable.
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.54 |
|
17-Mar-2021 |
jsing |
Read ahead is now enforced for DTLS - remove workarounds.
ok inoguchi@ tb@
|
#
1.53 |
|
17-Mar-2021 |
jsing |
Add DTLSv1.2 support to openssl(1) s_client/s_server.
ok inoguchi@ tb@
|
#
1.52 |
|
14-Oct-2020 |
tb |
Free peekaboo pbuf at end of s_client_main()
Otherwise each run of the s_client leaks 16k of memory. This hurts in interactive mode.
ok inoguchi jsing
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.51 |
|
10-Jul-2020 |
inoguchi |
Clean up s_client.c
- Remove space between '*' and pointer variable. - Add function prototype. - Move callback function to bottom. - Move typedef struct to up.
|
#
1.50 |
|
10-Jul-2020 |
inoguchi |
Change variable bio_c_out from global to local
ok tb@
|
#
1.49 |
|
09-Jul-2020 |
inoguchi |
Wrap long lines and put space in front of label in s_client.c
|
#
1.48 |
|
09-Jul-2020 |
inoguchi |
Remove c_ prefix from s_client_config member
|
#
1.47 |
|
09-Jul-2020 |
inoguchi |
Convert openssl(1) s_client option handling
suggestions and ok beck@ jsing@ tb@
|
#
1.46 |
|
23-May-2020 |
tb |
In ssl_lib.c revision 1.217, jsing enabled SSL_MODE_AUTO_RETRY by default. To avoid hanging on a blocking read, we need to clear the SSL_MODE_AUTO_RETRY flag in the s_client and the s_server.
ok beck inoguchi jsing
|
#
1.45 |
|
22-May-2020 |
deraadt |
sockaddr should be sockaddr_storage, otherwise "openssl s_client -6 -dtls1" (gurn) copies getsockname() retrieves a truncated result and 14 bytes of stack garbage get copied onwards. ok tb
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.44 |
|
26-Apr-2020 |
inoguchi |
s_client: fix use of possibly uninitialized values
Set initial value to variable 'p' and 'pending'.
Reported and fix requested from leonklingele by GitHub pull request. https://github.com/libressl-portable/portable/issues/577 https://github.com/libressl-portable/openbsd/pull/114
ok bcook@ jsing@ tb@
|
#
1.43 |
|
19-Apr-2020 |
jsing |
Add -groups option to openssl(1) s_server.
This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead.
ok beck@ inoguchi@
|
#
1.42 |
|
16-Feb-2020 |
jsing |
Add -tls1_3 and -notls1_3 options to openssl(1) s_client.
Also stop using version pinned methods, instead setting the min and max protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
|
#
1.41 |
|
23-Jan-2020 |
beck |
Make -peekaboo mode also use SSL_pending after peeking, to ensure SSL_pending implementation is correct.
annoying jsing@
|
#
1.40 |
|
22-Jan-2020 |
jsing |
Simplify the peekaboo code.
ok beck@
|
#
1.39 |
|
22-Jan-2020 |
beck |
Add -peekaboo option to s_client, to test SSL_peek peeks data before reading, compares to subsequent read.
ok jsing@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.38 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.56 |
|
25-Oct-2021 |
jca |
Garbage collect another unused variable.
Spotted by egcc and probably clang 13. ok tb@
|
#
1.55 |
|
22-Oct-2021 |
tb |
Garbage collect an unused variable.
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.54 |
|
17-Mar-2021 |
jsing |
Read ahead is now enforced for DTLS - remove workarounds.
ok inoguchi@ tb@
|
#
1.53 |
|
17-Mar-2021 |
jsing |
Add DTLSv1.2 support to openssl(1) s_client/s_server.
ok inoguchi@ tb@
|
#
1.52 |
|
14-Oct-2020 |
tb |
Free peekaboo pbuf at end of s_client_main()
Otherwise each run of the s_client leaks 16k of memory. This hurts in interactive mode.
ok inoguchi jsing
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.51 |
|
10-Jul-2020 |
inoguchi |
Clean up s_client.c
- Remove space between '*' and pointer variable. - Add function prototype. - Move callback function to bottom. - Move typedef struct to up.
|
#
1.50 |
|
10-Jul-2020 |
inoguchi |
Change variable bio_c_out from global to local
ok tb@
|
#
1.49 |
|
09-Jul-2020 |
inoguchi |
Wrap long lines and put space in front of label in s_client.c
|
#
1.48 |
|
09-Jul-2020 |
inoguchi |
Remove c_ prefix from s_client_config member
|
#
1.47 |
|
09-Jul-2020 |
inoguchi |
Convert openssl(1) s_client option handling
suggestions and ok beck@ jsing@ tb@
|
#
1.46 |
|
23-May-2020 |
tb |
In ssl_lib.c revision 1.217, jsing enabled SSL_MODE_AUTO_RETRY by default. To avoid hanging on a blocking read, we need to clear the SSL_MODE_AUTO_RETRY flag in the s_client and the s_server.
ok beck inoguchi jsing
|
#
1.45 |
|
22-May-2020 |
deraadt |
sockaddr should be sockaddr_storage, otherwise "openssl s_client -6 -dtls1" (gurn) copies getsockname() retrieves a truncated result and 14 bytes of stack garbage get copied onwards. ok tb
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.44 |
|
26-Apr-2020 |
inoguchi |
s_client: fix use of possibly uninitialized values
Set initial value to variable 'p' and 'pending'.
Reported and fix requested from leonklingele by GitHub pull request. https://github.com/libressl-portable/portable/issues/577 https://github.com/libressl-portable/openbsd/pull/114
ok bcook@ jsing@ tb@
|
#
1.43 |
|
19-Apr-2020 |
jsing |
Add -groups option to openssl(1) s_server.
This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead.
ok beck@ inoguchi@
|
#
1.42 |
|
16-Feb-2020 |
jsing |
Add -tls1_3 and -notls1_3 options to openssl(1) s_client.
Also stop using version pinned methods, instead setting the min and max protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
|
#
1.41 |
|
23-Jan-2020 |
beck |
Make -peekaboo mode also use SSL_pending after peeking, to ensure SSL_pending implementation is correct.
annoying jsing@
|
#
1.40 |
|
22-Jan-2020 |
jsing |
Simplify the peekaboo code.
ok beck@
|
#
1.39 |
|
22-Jan-2020 |
beck |
Add -peekaboo option to s_client, to test SSL_peek peeks data before reading, compares to subsequent read.
ok jsing@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.38 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.55 |
|
22-Oct-2021 |
tb |
Garbage collect an unused variable.
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.54 |
|
17-Mar-2021 |
jsing |
Read ahead is now enforced for DTLS - remove workarounds.
ok inoguchi@ tb@
|
#
1.53 |
|
17-Mar-2021 |
jsing |
Add DTLSv1.2 support to openssl(1) s_client/s_server.
ok inoguchi@ tb@
|
#
1.52 |
|
14-Oct-2020 |
tb |
Free peekaboo pbuf at end of s_client_main()
Otherwise each run of the s_client leaks 16k of memory. This hurts in interactive mode.
ok inoguchi jsing
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.51 |
|
10-Jul-2020 |
inoguchi |
Clean up s_client.c
- Remove space between '*' and pointer variable. - Add function prototype. - Move callback function to bottom. - Move typedef struct to up.
|
#
1.50 |
|
10-Jul-2020 |
inoguchi |
Change variable bio_c_out from global to local
ok tb@
|
#
1.49 |
|
09-Jul-2020 |
inoguchi |
Wrap long lines and put space in front of label in s_client.c
|
#
1.48 |
|
09-Jul-2020 |
inoguchi |
Remove c_ prefix from s_client_config member
|
#
1.47 |
|
09-Jul-2020 |
inoguchi |
Convert openssl(1) s_client option handling
suggestions and ok beck@ jsing@ tb@
|
#
1.46 |
|
23-May-2020 |
tb |
In ssl_lib.c revision 1.217, jsing enabled SSL_MODE_AUTO_RETRY by default. To avoid hanging on a blocking read, we need to clear the SSL_MODE_AUTO_RETRY flag in the s_client and the s_server.
ok beck inoguchi jsing
|
#
1.45 |
|
22-May-2020 |
deraadt |
sockaddr should be sockaddr_storage, otherwise "openssl s_client -6 -dtls1" (gurn) copies getsockname() retrieves a truncated result and 14 bytes of stack garbage get copied onwards. ok tb
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.44 |
|
26-Apr-2020 |
inoguchi |
s_client: fix use of possibly uninitialized values
Set initial value to variable 'p' and 'pending'.
Reported and fix requested from leonklingele by GitHub pull request. https://github.com/libressl-portable/portable/issues/577 https://github.com/libressl-portable/openbsd/pull/114
ok bcook@ jsing@ tb@
|
#
1.43 |
|
19-Apr-2020 |
jsing |
Add -groups option to openssl(1) s_server.
This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead.
ok beck@ inoguchi@
|
#
1.42 |
|
16-Feb-2020 |
jsing |
Add -tls1_3 and -notls1_3 options to openssl(1) s_client.
Also stop using version pinned methods, instead setting the min and max protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
|
#
1.41 |
|
23-Jan-2020 |
beck |
Make -peekaboo mode also use SSL_pending after peeking, to ensure SSL_pending implementation is correct.
annoying jsing@
|
#
1.40 |
|
22-Jan-2020 |
jsing |
Simplify the peekaboo code.
ok beck@
|
#
1.39 |
|
22-Jan-2020 |
beck |
Add -peekaboo option to s_client, to test SSL_peek peeks data before reading, compares to subsequent read.
ok jsing@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.38 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.54 |
|
17-Mar-2021 |
jsing |
Read ahead is now enforced for DTLS - remove workarounds.
ok inoguchi@ tb@
|
#
1.53 |
|
17-Mar-2021 |
jsing |
Add DTLSv1.2 support to openssl(1) s_client/s_server.
ok inoguchi@ tb@
|
#
1.52 |
|
14-Oct-2020 |
tb |
Free peekaboo pbuf at end of s_client_main()
Otherwise each run of the s_client leaks 16k of memory. This hurts in interactive mode.
ok inoguchi jsing
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.51 |
|
10-Jul-2020 |
inoguchi |
Clean up s_client.c
- Remove space between '*' and pointer variable. - Add function prototype. - Move callback function to bottom. - Move typedef struct to up.
|
#
1.50 |
|
10-Jul-2020 |
inoguchi |
Change variable bio_c_out from global to local
ok tb@
|
#
1.49 |
|
09-Jul-2020 |
inoguchi |
Wrap long lines and put space in front of label in s_client.c
|
#
1.48 |
|
09-Jul-2020 |
inoguchi |
Remove c_ prefix from s_client_config member
|
#
1.47 |
|
09-Jul-2020 |
inoguchi |
Convert openssl(1) s_client option handling
suggestions and ok beck@ jsing@ tb@
|
#
1.46 |
|
23-May-2020 |
tb |
In ssl_lib.c revision 1.217, jsing enabled SSL_MODE_AUTO_RETRY by default. To avoid hanging on a blocking read, we need to clear the SSL_MODE_AUTO_RETRY flag in the s_client and the s_server.
ok beck inoguchi jsing
|
#
1.45 |
|
22-May-2020 |
deraadt |
sockaddr should be sockaddr_storage, otherwise "openssl s_client -6 -dtls1" (gurn) copies getsockname() retrieves a truncated result and 14 bytes of stack garbage get copied onwards. ok tb
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.44 |
|
26-Apr-2020 |
inoguchi |
s_client: fix use of possibly uninitialized values
Set initial value to variable 'p' and 'pending'.
Reported and fix requested from leonklingele by GitHub pull request. https://github.com/libressl-portable/portable/issues/577 https://github.com/libressl-portable/openbsd/pull/114
ok bcook@ jsing@ tb@
|
#
1.43 |
|
19-Apr-2020 |
jsing |
Add -groups option to openssl(1) s_server.
This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead.
ok beck@ inoguchi@
|
#
1.42 |
|
16-Feb-2020 |
jsing |
Add -tls1_3 and -notls1_3 options to openssl(1) s_client.
Also stop using version pinned methods, instead setting the min and max protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
|
#
1.41 |
|
23-Jan-2020 |
beck |
Make -peekaboo mode also use SSL_pending after peeking, to ensure SSL_pending implementation is correct.
annoying jsing@
|
#
1.40 |
|
22-Jan-2020 |
jsing |
Simplify the peekaboo code.
ok beck@
|
#
1.39 |
|
22-Jan-2020 |
beck |
Add -peekaboo option to s_client, to test SSL_peek peeks data before reading, compares to subsequent read.
ok jsing@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.38 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.52 |
|
14-Oct-2020 |
tb |
Free peekaboo pbuf at end of s_client_main()
Otherwise each run of the s_client leaks 16k of memory. This hurts in interactive mode.
ok inoguchi jsing
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.51 |
|
10-Jul-2020 |
inoguchi |
Clean up s_client.c
- Remove space between '*' and pointer variable. - Add function prototype. - Move callback function to bottom. - Move typedef struct to up.
|
#
1.50 |
|
10-Jul-2020 |
inoguchi |
Change variable bio_c_out from global to local
ok tb@
|
#
1.49 |
|
09-Jul-2020 |
inoguchi |
Wrap long lines and put space in front of label in s_client.c
|
#
1.48 |
|
09-Jul-2020 |
inoguchi |
Remove c_ prefix from s_client_config member
|
#
1.47 |
|
09-Jul-2020 |
inoguchi |
Convert openssl(1) s_client option handling
suggestions and ok beck@ jsing@ tb@
|
#
1.46 |
|
23-May-2020 |
tb |
In ssl_lib.c revision 1.217, jsing enabled SSL_MODE_AUTO_RETRY by default. To avoid hanging on a blocking read, we need to clear the SSL_MODE_AUTO_RETRY flag in the s_client and the s_server.
ok beck inoguchi jsing
|
#
1.45 |
|
22-May-2020 |
deraadt |
sockaddr should be sockaddr_storage, otherwise "openssl s_client -6 -dtls1" (gurn) copies getsockname() retrieves a truncated result and 14 bytes of stack garbage get copied onwards. ok tb
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.44 |
|
26-Apr-2020 |
inoguchi |
s_client: fix use of possibly uninitialized values
Set initial value to variable 'p' and 'pending'.
Reported and fix requested from leonklingele by GitHub pull request. https://github.com/libressl-portable/portable/issues/577 https://github.com/libressl-portable/openbsd/pull/114
ok bcook@ jsing@ tb@
|
#
1.43 |
|
19-Apr-2020 |
jsing |
Add -groups option to openssl(1) s_server.
This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead.
ok beck@ inoguchi@
|
#
1.42 |
|
16-Feb-2020 |
jsing |
Add -tls1_3 and -notls1_3 options to openssl(1) s_client.
Also stop using version pinned methods, instead setting the min and max protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
|
#
1.41 |
|
23-Jan-2020 |
beck |
Make -peekaboo mode also use SSL_pending after peeking, to ensure SSL_pending implementation is correct.
annoying jsing@
|
#
1.40 |
|
22-Jan-2020 |
jsing |
Simplify the peekaboo code.
ok beck@
|
#
1.39 |
|
22-Jan-2020 |
beck |
Add -peekaboo option to s_client, to test SSL_peek peeks data before reading, compares to subsequent read.
ok jsing@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.38 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.51 |
|
10-Jul-2020 |
inoguchi |
Clean up s_client.c
- Remove space between '*' and pointer variable. - Add function prototype. - Move callback function to bottom. - Move typedef struct to up.
|
#
1.50 |
|
10-Jul-2020 |
inoguchi |
Change variable bio_c_out from global to local
ok tb@
|
#
1.49 |
|
09-Jul-2020 |
inoguchi |
Wrap long lines and put space in front of label in s_client.c
|
#
1.48 |
|
09-Jul-2020 |
inoguchi |
Remove c_ prefix from s_client_config member
|
#
1.47 |
|
09-Jul-2020 |
inoguchi |
Convert openssl(1) s_client option handling
suggestions and ok beck@ jsing@ tb@
|
#
1.46 |
|
23-May-2020 |
tb |
In ssl_lib.c revision 1.217, jsing enabled SSL_MODE_AUTO_RETRY by default. To avoid hanging on a blocking read, we need to clear the SSL_MODE_AUTO_RETRY flag in the s_client and the s_server.
ok beck inoguchi jsing
|
#
1.45 |
|
22-May-2020 |
deraadt |
sockaddr should be sockaddr_storage, otherwise "openssl s_client -6 -dtls1" (gurn) copies getsockname() retrieves a truncated result and 14 bytes of stack garbage get copied onwards. ok tb
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.44 |
|
26-Apr-2020 |
inoguchi |
s_client: fix use of possibly uninitialized values
Set initial value to variable 'p' and 'pending'.
Reported and fix requested from leonklingele by GitHub pull request. https://github.com/libressl-portable/portable/issues/577 https://github.com/libressl-portable/openbsd/pull/114
ok bcook@ jsing@ tb@
|
#
1.43 |
|
19-Apr-2020 |
jsing |
Add -groups option to openssl(1) s_server.
This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead.
ok beck@ inoguchi@
|
#
1.42 |
|
16-Feb-2020 |
jsing |
Add -tls1_3 and -notls1_3 options to openssl(1) s_client.
Also stop using version pinned methods, instead setting the min and max protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
|
#
1.41 |
|
23-Jan-2020 |
beck |
Make -peekaboo mode also use SSL_pending after peeking, to ensure SSL_pending implementation is correct.
annoying jsing@
|
#
1.40 |
|
22-Jan-2020 |
jsing |
Simplify the peekaboo code.
ok beck@
|
#
1.39 |
|
22-Jan-2020 |
beck |
Add -peekaboo option to s_client, to test SSL_peek peeks data before reading, compares to subsequent read.
ok jsing@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.38 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.46 |
|
23-May-2020 |
tb |
In ssl_lib.c revision 1.217, jsing enabled SSL_MODE_AUTO_RETRY by default. To avoid hanging on a blocking read, we need to clear the SSL_MODE_AUTO_RETRY flag in the s_client and the s_server.
ok beck inoguchi jsing
|
#
1.45 |
|
22-May-2020 |
deraadt |
sockaddr should be sockaddr_storage, otherwise "openssl s_client -6 -dtls1" (gurn) copies getsockname() retrieves a truncated result and 14 bytes of stack garbage get copied onwards. ok tb
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.44 |
|
26-Apr-2020 |
inoguchi |
s_client: fix use of possibly uninitialized values
Set initial value to variable 'p' and 'pending'.
Reported and fix requested from leonklingele by GitHub pull request. https://github.com/libressl-portable/portable/issues/577 https://github.com/libressl-portable/openbsd/pull/114
ok bcook@ jsing@ tb@
|
#
1.43 |
|
19-Apr-2020 |
jsing |
Add -groups option to openssl(1) s_server.
This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead.
ok beck@ inoguchi@
|
#
1.42 |
|
16-Feb-2020 |
jsing |
Add -tls1_3 and -notls1_3 options to openssl(1) s_client.
Also stop using version pinned methods, instead setting the min and max protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
|
#
1.41 |
|
23-Jan-2020 |
beck |
Make -peekaboo mode also use SSL_pending after peeking, to ensure SSL_pending implementation is correct.
annoying jsing@
|
#
1.40 |
|
22-Jan-2020 |
jsing |
Simplify the peekaboo code.
ok beck@
|
#
1.39 |
|
22-Jan-2020 |
beck |
Add -peekaboo option to s_client, to test SSL_peek peeks data before reading, compares to subsequent read.
ok jsing@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.38 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.45 |
|
22-May-2020 |
deraadt |
sockaddr should be sockaddr_storage, otherwise "openssl s_client -6 -dtls1" (gurn) copies getsockname() retrieves a truncated result and 14 bytes of stack garbage get copied onwards. ok tb
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.44 |
|
26-Apr-2020 |
inoguchi |
s_client: fix use of possibly uninitialized values
Set initial value to variable 'p' and 'pending'.
Reported and fix requested from leonklingele by GitHub pull request. https://github.com/libressl-portable/portable/issues/577 https://github.com/libressl-portable/openbsd/pull/114
ok bcook@ jsing@ tb@
|
#
1.43 |
|
19-Apr-2020 |
jsing |
Add -groups option to openssl(1) s_server.
This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead.
ok beck@ inoguchi@
|
#
1.42 |
|
16-Feb-2020 |
jsing |
Add -tls1_3 and -notls1_3 options to openssl(1) s_client.
Also stop using version pinned methods, instead setting the min and max protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
|
#
1.41 |
|
23-Jan-2020 |
beck |
Make -peekaboo mode also use SSL_pending after peeking, to ensure SSL_pending implementation is correct.
annoying jsing@
|
#
1.40 |
|
22-Jan-2020 |
jsing |
Simplify the peekaboo code.
ok beck@
|
#
1.39 |
|
22-Jan-2020 |
beck |
Add -peekaboo option to s_client, to test SSL_peek peeks data before reading, compares to subsequent read.
ok jsing@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.38 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.44 |
|
26-Apr-2020 |
inoguchi |
s_client: fix use of possibly uninitialized values
Set initial value to variable 'p' and 'pending'.
Reported and fix requested from leonklingele by GitHub pull request. https://github.com/libressl-portable/portable/issues/577 https://github.com/libressl-portable/openbsd/pull/114
ok bcook@ jsing@ tb@
|
#
1.43 |
|
19-Apr-2020 |
jsing |
Add -groups option to openssl(1) s_server.
This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead.
ok beck@ inoguchi@
|
#
1.42 |
|
16-Feb-2020 |
jsing |
Add -tls1_3 and -notls1_3 options to openssl(1) s_client.
Also stop using version pinned methods, instead setting the min and max protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
|
#
1.41 |
|
23-Jan-2020 |
beck |
Make -peekaboo mode also use SSL_pending after peeking, to ensure SSL_pending implementation is correct.
annoying jsing@
|
#
1.40 |
|
22-Jan-2020 |
jsing |
Simplify the peekaboo code.
ok beck@
|
#
1.39 |
|
22-Jan-2020 |
beck |
Add -peekaboo option to s_client, to test SSL_peek peeks data before reading, compares to subsequent read.
ok jsing@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.38 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.43 |
|
19-Apr-2020 |
jsing |
Add -groups option to openssl(1) s_server.
This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead.
ok beck@ inoguchi@
|
#
1.42 |
|
16-Feb-2020 |
jsing |
Add -tls1_3 and -notls1_3 options to openssl(1) s_client.
Also stop using version pinned methods, instead setting the min and max protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
|
#
1.41 |
|
23-Jan-2020 |
beck |
Make -peekaboo mode also use SSL_pending after peeking, to ensure SSL_pending implementation is correct.
annoying jsing@
|
#
1.40 |
|
22-Jan-2020 |
jsing |
Simplify the peekaboo code.
ok beck@
|
#
1.39 |
|
22-Jan-2020 |
beck |
Add -peekaboo option to s_client, to test SSL_peek peeks data before reading, compares to subsequent read.
ok jsing@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.38 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.42 |
|
16-Feb-2020 |
jsing |
Add -tls1_3 and -notls1_3 options to openssl(1) s_client.
Also stop using version pinned methods, instead setting the min and max protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
|
#
1.41 |
|
23-Jan-2020 |
beck |
Make -peekaboo mode also use SSL_pending after peeking, to ensure SSL_pending implementation is correct.
annoying jsing@
|
#
1.40 |
|
22-Jan-2020 |
jsing |
Simplify the peekaboo code.
ok beck@
|
#
1.39 |
|
22-Jan-2020 |
beck |
Add -peekaboo option to s_client, to test SSL_peek peeks data before reading, compares to subsequent read.
ok jsing@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.38 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.41 |
|
23-Jan-2020 |
beck |
Make -peekaboo mode also use SSL_pending after peeking, to ensure SSL_pending implementation is correct.
annoying jsing@
|
#
1.40 |
|
22-Jan-2020 |
jsing |
Simplify the peekaboo code.
ok beck@
|
#
1.39 |
|
22-Jan-2020 |
beck |
Add -peekaboo option to s_client, to test SSL_peek peeks data before reading, compares to subsequent read.
ok jsing@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.38 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.40 |
|
22-Jan-2020 |
jsing |
Simplify the peekaboo code.
ok beck@
|
#
1.39 |
|
22-Jan-2020 |
beck |
Add -peekaboo option to s_client, to test SSL_peek peeks data before reading, compares to subsequent read.
ok jsing@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.38 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.38 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.37 |
|
14-Nov-2018 |
tb |
didn't found -> didn't find.
From Edgar Pettijohn III
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.36 |
|
11-Feb-2018 |
jmc |
typo in output string; from edgar pettijohn
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.35 |
|
07-Feb-2018 |
jsing |
Indent labels with a single space so that diff prototypes are more useful.
|
#
1.34 |
|
07-Feb-2018 |
jsing |
Remove guards around *_free() calls since these functions handle NULL.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.33 |
|
12-Aug-2017 |
jsing |
Remove NPN support - the -nextprotoneg options now become no-ops.
ok bcook@ beck@ doug@
|
#
1.32 |
|
18-Apr-2017 |
deraadt |
use freezero() instead of 4-line conditional explicit_bzero + free
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.31 |
|
24-Jan-2017 |
jsing |
Add a -groups option to openssl s_client, which allows supported EC curves to be specified as a colon separated list.
ok beck@
|
#
1.30 |
|
20-Jan-2017 |
deraadt |
rearrange pledge promises into the canonical order; easier to eyeball
|
#
1.29 |
|
30-Dec-2016 |
jsing |
Display details of the server ephemeral key, based on OpenSSL.
ok doug@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.28 |
|
21-Jun-2016 |
bcook |
Fix a bug loading the default certificate path locations.
The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
ok beck@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.27 |
|
01-Dec-2015 |
jca |
Undo previous, pledge("dns") was already present. The problem was in s_server.
|
#
1.26 |
|
01-Dec-2015 |
beck |
pledge dns so openssl can use dns.. noticed and fix by todd@ ok jcs@ deraadt@ theo@
|
#
1.25 |
|
21-Nov-2015 |
jca |
In pledge(), put "dns" right after "inet".
|
#
1.24 |
|
21-Nov-2015 |
jca |
Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.
From todd@
|
#
1.23 |
|
17-Oct-2015 |
doug |
Exit if a pledge call fails in non-interactive mode.
ok semarie@
|
#
1.22 |
|
17-Oct-2015 |
semarie |
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several with and ok doug@
|
#
1.21 |
|
10-Oct-2015 |
doug |
Initial support for pledges in openssl(1) commands.
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands.
We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
#
1.20 |
|
06-Oct-2015 |
deraadt |
these do not use ioctl.h
|
#
1.19 |
|
11-Sep-2015 |
bcook |
Remove engine command and parameters from openssl(1).
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all.
ok jsing@
|
#
1.18 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
|
#
1.17 |
|
10-Sep-2015 |
bcook |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
#
1.16 |
|
22-Aug-2015 |
jsing |
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere).
ok deraadt@ doug@
|
#
1.15 |
|
11-Aug-2015 |
landry |
Improve openssl s_client -starttls xmpp support.
From https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest - add a -xmpphost option to specify the xmpp virtual host - fix an infinite loop when the vhost isnt what the server expects - fix communication with openfire & prosody servers
with tweaks & ok bcook@ doug@ manpage bits jmc@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.14 |
|
17-Jul-2015 |
doug |
Remove SSLv3 support from openssl(1) s_client.
ok miod@ bcook@ beck@
|
#
1.13 |
|
14-Apr-2015 |
jsing |
Move verify externs into the header file.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.12 |
|
13-Jan-2015 |
bluhm |
Add the possibility to use the openssl s_client tool with an http proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
|
#
1.11 |
|
14-Dec-2014 |
jsing |
unifdef OPENSSL_NO_NEXTPROTONEG
|
#
1.10 |
|
10-Dec-2014 |
jsing |
Add ALPN support to openssl(1).
Based on OpenSSL.
|
#
1.9 |
|
02-Dec-2014 |
deraadt |
convert select() to poll(). This is one of the most complicated conversions in the tree, because the original code is very rotten and fragile. Please test and report any failures. Assistance from millert, bcook, and jsing.
|
#
1.8 |
|
18-Nov-2014 |
krw |
Nuke more obvious #include duplications.
ok deraadt@ millert@ tedu@
|
#
1.7 |
|
07-Nov-2014 |
jsing |
More OPENSSL_NO_TLSEXT clean up.
|
#
1.6 |
|
06-Nov-2014 |
jsing |
TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT, which was already done for libssl some time back.
|
#
1.5 |
|
22-Oct-2014 |
jsing |
None of these need <openssl/rand.h>
|
#
1.4 |
|
20-Oct-2014 |
bcook |
s_client: don't call shutdown on a non-existent socket descriptor.
from Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ok beck@, deraadt@
|
#
1.3 |
|
13-Oct-2014 |
bcook |
Use O_NONBLOCK over FIONBIO.
Prefer this because it is the POSIX standard and has consistent behavior across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
#
1.2 |
|
01-Sep-2014 |
doug |
Enable -Wshadow in openssl(1) and fix a few shadow warnings.
ok jsing@
|
#
1.1 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|