aboutsummaryrefslogtreecommitdiff
path: root/openssl/src/ssl
Commit message (Collapse)AuthorAgeFilesLines
...
* Merge pull request #266 from jmesmon/alpnSteven Fackler2015-09-162-5/+51
|\ | | | | ssl/npn+alpn: adjust protocol selection to fail if no protocols match
| * ssl/alpn: test mismatch between protocols resulting in NoneCody P Schafer2015-09-161-0/+43
| |
| * ssl/npn+alpn: adjust protocol selection to fail if no protocols matchCody P Schafer2015-09-011-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The current behavior causes a server written using rust-openssl to (if it cannot negotiate a protocol) fallback to the first protocol it has avaliable. This makes it impossible to detect protocol mismatches. This updates our selection to be more similar to how openssl's s_server behaves: non-matching protocols are not supplied with a fallback. Note that some setups may actually want a fallback protocol supplied via ALPN. To support those cases, we should consider adding a generic callback that allows protocol selection to be entirely controlled by the programmer. For the purposes of having a sane default, however, not supplying a default (and mimicing s_server's behavior) is the best choice.
| * openssl/ssl: fix some of the comment text where I missed replacing NPN with ALPNCody P Schafer2015-09-011-3/+3
| |
* | Use try_ssl_null!() when relevantFrank Denis2015-09-131-12/+3
|/
* Add support for set_tmp_dh() and RFC5114 DH parameters for forward secrecy.Frank Denis2015-08-311-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | rust-openssl didn't support forward secrecy at all. This adds support for DHE, by exposing set_tmp_dh() as well as the RFC5114 parameters, which are conveniently exposed since OpenSSL 1.0.2. With OpenSSL >= 1.0.2, and the rfc5114 feature gate, enabling DHE is as simple as (here for 2048-bit MODP group with 256-bit prime order subgroup): use openssl::dh::DH; let dh = DH::get_2048_256().unwrap(); ctx.set_tmp_dh(dh).unwrap(); With OpenSSL < 1.0.2, DH::from_params() can be used to manually specify the DH parameters (here for 2048-bit MODP group with 256-bit prime order subgroup): use openssl::bn::BigNum; use openssl::dh::DH; let p = BigNum::from_hex_str("87A8E61DB4B6663CFFBBD19C651959998CEEF608660DD0F25D2CEED4435E3B00E00DF8F1D61957D4FAF7DF4561B2AA3016C3D91134096FAA3BF4296D830E9A7C209E0C6497517ABD5A8A9D306BCF67ED91F9E6725B4758C022E0B1EF4275BF7B6C5BFC11D45F9088B941F54EB1E59BB8BC39A0BF12307F5C4FDB70C581B23F76B63ACAE1CAA6B7902D52526735488A0EF13C6D9A51BFA4AB3AD8347796524D8EF6A167B5A41825D967E144E5140564251CCACB83E6B486F6B3CA3F7971506026C0B857F689962856DED4010ABD0BE621C3A3960A54E710C375F26375D7014103A4B54330C198AF126116D2276E11715F693877FAD7EF09CADB094AE91E1A1597").unwrap(); let g = BigNum::from_hex_str("3FB32C9B73134D0B2E77506660EDBD484CA7B18F21EF205407F4793A1A0BA12510DBC15077BE463FFF4FED4AAC0BB555BE3A6C1B0C6B47B1BC3773BF7E8C6F62901228F8C28CBB18A55AE31341000A650196F931C77A57F2DDF463E5E9EC144B777DE62AAAB8A8628AC376D282D6ED3864E67982428EBC831D14348F6F2F9193B5045AF2767164E1DFC967C1FB3F2E55A4BD1BFFE83B9C80D052B985D182EA0ADB2A3B7313D3FE14C8484B1E052588B9B7D2BBD2DF016199ECD06E1557CD0915B3353BBB64E0EC377FD028370DF92B52C7891428CDC67EB6184B523D1DB246C32F63078490F00EF8D647D148D47954515E2327CFEF98C582664B4C0F6CC41659").unwrap(); let q = BigNum::from_hex_str("8CF83642A709A097B447997640129DA299B1A47D1EB3750BA308B0FE64F5FBD3").unwrap(); let dh = DH::from_params(p, g, q).unwrap(); ctx.set_tmp_dh(dh).unwrap();
* Add get_state_string()Manuel Schölling2015-08-172-0/+35
|
* Grab errno for directstream want errorsSteven Fackler2015-08-101-7/+2
|
* Handle WantWrite and WantRead errorsSteven Fackler2015-08-081-0/+8
|
* Merge pull request #243 from manuels/masterSteven Fackler2015-08-022-2/+41
|\ | | | | Fix probelms with DTLS when no packets are pending.
| * Fix probelms with DTLS when no packets are pending.Manuel Schölling2015-07-182-2/+41
| | | | | | | | | | | | | | | | | | | | | | When using DTLS you might run into the situation where no packets are pending, so SSL_read returns len=0. On a TLS connection this means that the connection was closed, but on DTLS it does not (a DTLS connection cannot be closed in the usual sense). This commit fixes a bug introduced by c8d23f3. Conflicts: openssl/src/ssl/mod.rs
* | Expose ssl::initpanicbit2015-07-261-1/+3
|/
* Decouple C SSL Option bit flags from Rust versionJethro Beekman2015-07-011-29/+46
| | | | | | | The OpenSSL "SSL_OP_*" flags are in constant flux between different OpenSSL versions. To avoid having to change the Rust definitions, we implement our own numbering system in Rust, and use an automatically-generated C shim to convert the bitflags at runtime.
* Fix backcompat methodSteven Fackler2015-06-291-1/+1
|
* Fix build with alpn featureSteven Fackler2015-06-292-3/+3
|
* ssl: support ALPNCody P Schafer2015-06-292-15/+213
| | | | | | | | | | Heavily based on the existing NPN wrapping code. Naming of public functions is identical to the NPN ones with `s/npn/alpn/` applied to prevent devs from needing to remember 2 names (and to let my copy the npn tests and perform the subistution to generate the apln tests). It might make sense to (at some point) use macros or a trait to cut down the duplication.
* ssl/NPN: factor out encoding of the protocol listCody P Schafer2015-06-291-8/+19
| | | | | The intention is to allow the encoding to be reused by the ALPN support code.
* ssl: use a common helper to generate new ex data indexes, switch NPN to a ↵Cody P Schafer2015-06-291-33/+17
| | | | | | | | | | | lazyref Rather than having the verification data idx generation and NPN use there own (similar) impls to generate indexes with destructors, unify them. Make NPNs use of indexes more idomatic by storing the index in a lazyref rather than having a function with static data members.
* More docsSteven Fackler2015-06-281-0/+16
|
* Fix windows buildSteven Fackler2015-06-281-0/+2
|
* DocsSteven Fackler2015-06-281-18/+10
|
* Make the direct constructors the defaultsSteven Fackler2015-06-282-35/+35
|
* Add docs for accept and connectSteven Fackler2015-06-281-0/+22
|
* Rename new_client to connect and new_server to acceptSteven Fackler2015-06-282-44/+49
|
* Implement direct IO supportSteven Fackler2015-06-282-13/+187
|
* Prepare for direct stream supportSteven Fackler2015-06-271-78/+165
|
* Docs tweakSteven Fackler2015-06-271-1/+2
|
* Reduce SslStream constructor duplicationSteven Fackler2015-06-272-41/+62
|
* Initialize stream bufferSteven Fackler2015-06-271-8/+2
|
* Fix set_hostnameSteven Fackler2015-06-271-10/+2
| | | | | | It was previously failing to null terminate the hostname string (was anyone actually using this?). Also move the macro expansion to the C shim.
* Add a test for connection negotiation failureSteven Fackler2015-06-251-1/+10
|
* Fix EOF handling in retry wrapperSteven Fackler2015-06-252-5/+7
|
* Test reading CN from test certificateJoseph Glanville2015-05-181-2/+2
|
* Add test for get_peer_certificate()Joseph Glanville2015-05-161-0/+10
|
* Add accessor for peer_certificateJoseph Glanville2015-05-161-0/+5
|
* Merge pull request #210 from manuels/pendingSteven Fackler2015-05-052-0/+36
|\ | | | | Add SslStream.pending()
| * Add SslStream.pending()Manuel Schölling2015-04-302-0/+36
| |
* | Abstract over AsRef<Path>Steven Fackler2015-05-021-7/+7
|/
* Write through to underlying stream for every write callSteven Fackler2015-04-302-10/+35
| | | | cc #208
* Fix nightly build issuesSteven Fackler2015-04-152-8/+1
|
* Fix non-dtls testsSteven Fackler2015-04-081-4/+3
|
* Fix dtls testsSteven Fackler2015-04-081-8/+8
| | | | There's a reason static mut is unsafe...
* Adapt code for rust-1.0.0-betaManuel Schölling2015-04-061-9/+6
|
* Fix rebase errorsManuel Schölling2015-04-062-9/+2
|
* Add ability to load private keys from files and use raw keys and ↵Manuel Schölling2015-04-061-1/+1
| | | | | | | | certificates for SslContext Conflicts: openssl/src/crypto/pkey.rs openssl/src/ssl/tests.rs
* Add ability to load private keys from files and use raw keys and ↵Manuel Schölling2015-04-061-2/+5
| | | | | | | certificates for SslContext Conflicts: openssl/src/ssl/tests.rs
* Change SslContext::set_read_ahead(c_long) to SslContext::set_read_ahead(u32)Manuel Schölling2015-04-061-2/+2
|
* Debug halteproblem with testsManuel Schölling2015-04-061-2/+2
|
* Move connected_socket to its own crate and fix SSL_CTX_set_read_ahead()Manuel Schölling2015-04-063-355/+9
|
* Use latest OpenSSL version in travis tests and more verbose error message in ↵Manuel Schölling2015-04-061-2/+5
| | | | ConnectedSocket
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-14 03:44:12 +0000