summaryrefslogtreecommitdiff
path: root/src/core/network-openssl.c
AgeCommit message (Collapse)Author
2018-01-25fix sequence errorAilin Nemui
2018-01-25Do not use X509_STORE on OpenSSL < 1.0.2Ailin Nemui
2017-11-30move decls before codeailin-nemui
2017-11-30fix commentsailin-nemui
2017-09-11Restore compatibility with old OpenSSL versionsLemonBoy
Let's implement X509_STORE_up_ref on our own.
2017-09-11Increment the X509_STORE refcount during the connectionLemonBoy
OpenSSL doesn't increment the reference count when the store is assigned to a SSL_CTX.
2017-08-10Don't error out on failure to load default certificate store.Edward Tomasz Napierala
This restores the previous behaviour. Signed-off-by: Edward Tomasz Napierala <trasz@FreeBSD.org>
2017-08-01Change the way we load default CA certificates so it works with Capsicum.Edward Tomasz Napierala
Signed-off-by: Edward Tomasz Napierala <trasz@FreeBSD.org>
2017-02-15Merge pull request #627 from LemonBoy/ssl-expiryailin-nemui
Check whether the client certificate is expired.
2017-02-06Merge pull request #622 from ailin-nemui/starttlsailin-nemui
provide net_start_ssl api
2017-02-05provide net_start_ssl apiailin-nemui
fixes #615
2017-02-03Support OpenSSL 1.1.0.LemonBoy
- X509_get_notBefore becomes X509_get0_notBefore - X509_get_notAfter becomes X509_get0_notAfter - ASN1_STRING_data becomes ASN1_STRING_get0_data (and drops the const) - The whole library is now initialized by OPENSSL_init_ssl Closes #597
2017-01-22Check whether the client certificate is expired.LemonBoy
Right now we only warn the user, the connection keeps going. Fixes #211
2017-01-06Add OPENSSL_NO_EC for solaris 11.3, see issue #598dequis
Original patch by 'Slarky' According to that ticket, the next major version of solaris won't need this. Consider reverting this when solaris 11.3 stops being relevant.
2016-10-22Kill do { ... } while (0); and replace it with goto's.Alexander Færøy
2016-10-22Emit the TLS handshake finished signal before we do verification.Alexander Færøy
This patch moves the emitted "tls handshake finished" signal to before we do validation of the given TLS certificate. This ensures that we display certificate information before we possibly error out and disconnects from the server.
2016-10-22Kill support for DANE.Alexander Færøy
This patch removes support for DANE validation of TLS certificates. There wasn't enough support in the IRC community to push for this on the majority of bigger IRC networks. If you believe this should be reintroduced into irssi, then please come up with an implementation that does not rely on the libval library. It is causing a lot of troubles for our downstream maintainers.
2016-10-22Lift EC_KEY declaration onto the entry of the function.Alexander Færøy
2016-10-22Lift ASN1_STRING declaration onto the entry of the function.Alexander Færøy
2016-10-22Declare variables in the beginning of the function.Alexander Færøy
2016-10-22Make sure we clean-up after ourself upon failure.Alexander Færøy
2016-10-22Add x509 certificate and public key pinning support.Alexander Færøy
This patch adds two new options to /CONNECT and /SERVER to let the user pin either an x509 certificate and/or the public key of a given server. It is possible to fetch the certificate outside of Irssi itself to verify the checksum. To fetch the certificate call: $ openssl s_client -connect chat.freenode.net:6697 < /dev/null 2>/dev/null | \ openssl x509 > freenode.cert This will download chat.freenode.net:6697's TLS certificate and put it into the file freenode.cert. -tls_pinned_cert ---------------- This option allows you to specify the SHA-256 hash of the x509 certificate. When succesfully connected to the server, irssi will verify that the given server certificate matches the pin set by the user. The SHA-256 hash of a given certificate can be verified outside of irssi using the OpenSSL command line tool: $ openssl x509 -in freenode.cert -fingerprint -sha256 -noout -tls_pinned_pubkey ------------------ This option allows you to specify the SHA-256 hash of the subject public key information section of the server certificate. This section contains both the cryptographic parameters for the public key, but also information about the algorithm used together with the public key parameters. When succesfully connected to the server, irssi will verify that the given public key matches the pin set by the user. The SHA-256 hash of a public key can be verified outside of irssi using the OpenSSL command line tool: $ openssl x509 -in freenode.cert -pubkey -noout | \ openssl pkey -pubin -outform der | \ openssl dgst -sha256 -c | \ tr a-z A-Z It is possible to specify both -tls_pinned_cert and -tls_pinned_pubkey together.
2016-10-22s/SSL/TLS/ for warning strings.Alexander Færøy
2016-10-22Simplify TLS verification error handling.Alexander Færøy
2016-10-22Populate and emit TLS_REC after TLS handshake have completed.Alexander Færøy
2016-10-22Rename SSL to TLS.Alexander Færøy
This patch changes the internal name of SSL to TLS. We also add -tls_* options to /CONNECT and /SERVER, but make sure that the -ssl_* versions of the commands continue to work like before.
2016-10-16Always build irssi with TLS support.Alexander Færøy
This patch removes the optional checks for whether to build irssi with TLS support or not. This will allow us to ship a default configuration file where we connect to TLS enabled IRC servers out of the box.
2016-03-13Add clear error calls to irssi_ssl_get_iochannelWill Storey
2016-03-13Clear error queue before SSL I/O operationsWill Storey
Otherwise we can see errors that are not related to the operation we check for. SSL_get_error() inspects the thread's error queue. See https://www.openssl.org/docs/manmaster/ssl/SSL_get_error.html for more information.
2015-04-15ssl: Fixed call to SSL_CTX_set_cipher_list() only when ssl_ciphers specified ↵Haw Loeung
and warn when no cipher suite could be selected.
2015-04-14ssl: Add option to specify SSL cipher suite preference.Haw Loeung
2015-04-07Add SNI supportAdam
2014-10-15Disable SSLv3Alexander Færøy
2014-06-26Add some missing casts to silence compiler warningsDavid Leadbeater
2014-01-11Add -ssl_pass to /connect and /serverAlexander Færøy
Fixes: Bug #305 git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5231 dbcabf3a-b0e7-0310-adc4-f8d773084564
2013-06-25Clean-up after ourselvesAlexander Færøy
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5223 dbcabf3a-b0e7-0310-adc4-f8d773084564
2013-06-23Add TLSA related signalsAlexander Færøy
This patch adds 3 new signals: * tlsa avalable: emitted if TLSA is available for a given domain. * tlsa verification success: emitted if the TLSA check was successful. * tlsa verification failed: emitted if the TLSA check was unsuccessful. git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5220 dbcabf3a-b0e7-0310-adc4-f8d773084564
2013-06-23Pass SERVER_REC directly to net_connect_ip_sslAlexander Færøy
This patch refactors how we are passing connection information for SSL connections. This will allow us to emit signals with a SERVER_REC as parameter during SSL handshake. git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5219 dbcabf3a-b0e7-0310-adc4-f8d773084564
2013-06-23Implement experimental DNSSEC DANE supportAlexander Færøy
This patch adds experimental support for the DNSSEC DANE verification protocol using the libval library from the DNSSEC-Tools package. Thanks to Thomas Steen Ramussen for creating a test setup and suggesting the idea of experimenting with DANE support in Irssi :-) git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5218 dbcabf3a-b0e7-0310-adc4-f8d773084564
2012-06-24Do not set SSL_OP_ALL, it is not needed to disable SSLv2 and it can preventEmanuele Giaquinta
connections to TLSv1.1 servers from working. Patch by pi-rho. git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5216 dbcabf3a-b0e7-0310-adc4-f8d773084564
2010-07-28Fix indention.Alexander Færøy
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5186 dbcabf3a-b0e7-0310-adc4-f8d773084564
2010-05-16Fix segfault generated by SSL disconnections. (Bug #752)Jase Thew
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5170 dbcabf3a-b0e7-0310-adc4-f8d773084564
2010-04-03Do not use SSLv2 protocol. From Bazerka.Alexander Færøy
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5136 dbcabf3a-b0e7-0310-adc4-f8d773084564
2010-02-22Fix compiling without sslWouter Coekaerts
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5117 dbcabf3a-b0e7-0310-adc4-f8d773084564
2010-02-19network-openssl: Show why a certificate failed validation.Jilles Tjoelker
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5116 dbcabf3a-b0e7-0310-adc4-f8d773084564
2010-01-31Call OpenSSL_add_all_algorithms(), may be needed to verify SHA256 certs with ↵Jilles Tjoelker
certain versions of OpenSSL. git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5108 dbcabf3a-b0e7-0310-adc4-f8d773084564
2010-01-31Use one SSL_CTX per connection, use default trusted CAs if nothing specified.Jilles Tjoelker
This allows useful use of -ssl_verify without -ssl_cafile/-ssl_capath, using OpenSSL's default trusted CAs. git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5107 dbcabf3a-b0e7-0310-adc4-f8d773084564
2009-12-28Check if an SSL certificate matches the hostname of the server we are ↵Wouter Coekaerts
connecting to git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5104 dbcabf3a-b0e7-0310-adc4-f8d773084564
2009-09-02Tell OpenSSL that our write buffer may move (although the content remains ↵Jilles Tjoelker
the same). This fixes disconnects when sending large amounts of data to the server. Note that it assumes that write retries will retry the same data; a reasonable assumption, but it is not necessary for any normal write(). git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5095 dbcabf3a-b0e7-0310-adc4-f8d773084564
2009-02-28Remove unused variable.Jilles Tjoelker
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5031 dbcabf3a-b0e7-0310-adc4-f8d773084564
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-07 05:46:31 +0000