| Age | Commit message (Collapse) | Author |
|---|
|
Let's implement X509_STORE_up_ref on our own.
|
|
OpenSSL doesn't increment the reference count when the store is assigned
to a SSL_CTX.
|
|
This restores the previous behaviour.
Signed-off-by: Edward Tomasz Napierala <trasz@FreeBSD.org>
|
|
Signed-off-by: Edward Tomasz Napierala <trasz@FreeBSD.org>
|
|
Check whether the client certificate is expired.
|
|
provide net_start_ssl api
|
|
fixes #615
|
|
- X509_get_notBefore becomes X509_get0_notBefore
- X509_get_notAfter becomes X509_get0_notAfter
- ASN1_STRING_data becomes ASN1_STRING_get0_data (and drops the const)
- The whole library is now initialized by OPENSSL_init_ssl
Closes #597
|
|
Right now we only warn the user, the connection keeps going.
Fixes #211
|
|
Original patch by 'Slarky'
According to that ticket, the next major version of solaris won't need
this. Consider reverting this when solaris 11.3 stops being relevant.
|
|
|
|
This patch moves the emitted "tls handshake finished" signal to before
we do validation of the given TLS certificate. This ensures that we
display certificate information before we possibly error out and
disconnects from the server.
|
|
This patch removes support for DANE validation of TLS certificates.
There wasn't enough support in the IRC community to push for this on the
majority of bigger IRC networks. If you believe this should be
reintroduced into irssi, then please come up with an implementation that
does not rely on the libval library. It is causing a lot of troubles for
our downstream maintainers.
|
|
|
|
|
|
|
|
|
|
This patch adds two new options to /CONNECT and /SERVER to let the user
pin either an x509 certificate and/or the public key of a given server.
It is possible to fetch the certificate outside of Irssi itself to
verify the checksum. To fetch the certificate call:
$ openssl s_client -connect chat.freenode.net:6697 < /dev/null 2>/dev/null | \
openssl x509 > freenode.cert
This will download chat.freenode.net:6697's TLS certificate and put it into the
file freenode.cert.
-tls_pinned_cert
----------------
This option allows you to specify the SHA-256 hash of the x509
certificate. When succesfully connected to the server, irssi will verify
that the given server certificate matches the pin set by the user.
The SHA-256 hash of a given certificate can be verified outside of irssi
using the OpenSSL command line tool:
$ openssl x509 -in freenode.cert -fingerprint -sha256 -noout
-tls_pinned_pubkey
------------------
This option allows you to specify the SHA-256 hash of the subject public key
information section of the server certificate. This section contains both the
cryptographic parameters for the public key, but also information about the
algorithm used together with the public key parameters.
When succesfully connected to the server, irssi will verify that the
given public key matches the pin set by the user.
The SHA-256 hash of a public key can be verified outside of irssi using
the OpenSSL command line tool:
$ openssl x509 -in freenode.cert -pubkey -noout | \
openssl pkey -pubin -outform der | \
openssl dgst -sha256 -c | \
tr a-z A-Z
It is possible to specify both -tls_pinned_cert and -tls_pinned_pubkey
together.
|
|
|
|
|
|
|
|
This patch changes the internal name of SSL to TLS. We also add -tls_*
options to /CONNECT and /SERVER, but make sure that the -ssl_* versions
of the commands continue to work like before.
|
|
This patch removes the optional checks for whether to build irssi with
TLS support or not. This will allow us to ship a default configuration
file where we connect to TLS enabled IRC servers out of the box.
|
|
|
|
Otherwise we can see errors that are not related to the operation
we check for. SSL_get_error() inspects the thread's error queue.
See https://www.openssl.org/docs/manmaster/ssl/SSL_get_error.html for
more information.
|
|
and warn when no cipher suite could be selected.
|
|
|
|
|
|
|
|
|
|
Fixes: Bug #305
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5231 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5223 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
This patch adds 3 new signals:
* tlsa avalable: emitted if TLSA is available for a given domain.
* tlsa verification success: emitted if the TLSA check was successful.
* tlsa verification failed: emitted if the TLSA check was unsuccessful.
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5220 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
This patch refactors how we are passing connection information for SSL
connections. This will allow us to emit signals with a SERVER_REC as
parameter during SSL handshake.
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5219 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
This patch adds experimental support for the DNSSEC DANE verification
protocol using the libval library from the DNSSEC-Tools package.
Thanks to Thomas Steen Ramussen for creating a test setup and suggesting
the idea of experimenting with DANE support in Irssi :-)
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5218 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
connections to TLSv1.1 servers from working. Patch by pi-rho.
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5216 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5186 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5170 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5136 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5117 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5116 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
certain versions of OpenSSL.
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5108 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
This allows useful use of -ssl_verify without
-ssl_cafile/-ssl_capath, using OpenSSL's default trusted CAs.
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5107 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
connecting to
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5104 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
the same).
This fixes disconnects when sending large amounts of data
to the server.
Note that it assumes that write retries will retry the same
data; a reasonable assumption, but it is not necessary for
any normal write().
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5095 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5031 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
Display more detailed error messages about SSL and
fix assertion failure warnings on some SSL errors.
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@4933 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
the openssl error string.
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@4884 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
openssl error is SSL_WANT_{READ,WRITE}, G_IO_STATUS_ERROR otherwise.
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@4883 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: http://svn.irssi.org/repos/irssi/trunk@4792 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
