| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Not committed (merge conflicts...):
net/radsecproxy/distinfo
The following distfiles could not be fetched (fetched conditionally?):
./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch
|
|
- sslhandle to bind to IPv4 sockets, if told so.
- Compatibility tests with OpenSSL 3.0. Still preliminary.
|
|
|
|
|
|
|
|
- fehQlibs-17 changes included regarding socket interface.
- Synced with ucspi-tcp6-1.12.3 providing MAXCONIP capabilities.
- Successful integration tests for OpenSSL 3.0.0-alpha13 and
LibreSSL 3.3.1.
- Fixed sslserver's binding to IPv4/IPv6 addresses; code aligned with
tcpserver.
|
|
|
|
|
|
- GCC 10 compliance enforced.
pkgsrc changes:
- Catch up DEFAULT_MEDIUM_CIPHERS to NetBSD-current's.
|
|
|
|
to match those of ucspi-tcp6 1.11.6, so:
- Fixed problem for sslserver binding to local IPv4 addresses. Improved
selection of IP addresses given the user flags -4/-6 and none.
- Improved sslclient's binding given several hostnames available in DNS.
|
|
- Added pollmax limit to sslserver and sslhandle.
- sslclient streamlined with tcpclient. fehQlibs-15 are required.
|
|
Instead:
1. Package makefiles including their own options.mk
2. Packages say "SUBST_CLASSES+=djberrno" to get the hack, if needed
3. Packages adjust SUBST_FILES.djberrno, if needed
Should fix bulk build failures due to multiple inclusions of options.mk
and/or incorrect definitions of DJB_ERRNO_HACK.
Approved during the freeze by wiz@.
|
|
- Fixed iopause return value evaluation in remoteinfo.c.
- Removed return call evaluation of iopause in ssl_io.c and ssl_timeout.c
Not clear, whether this a resulting the polling.
|
|
|
|
- Adopted some fixes contributed by Alan S. (mtx):
DNS IP Name qualification; X.509 DNS name matching; certs are only
read on demand.
- Support of STARTTLS in sslclient is postponed to next minor version.
- Straightened error codes and exiting for sslserver/sslhandle instead of
dropping the session in case of errors.
|
|
previous update, unset it. Bump PKGREVISION.
The complete diffs:
diff -Naur OLD/host/superscript.com/net/ucspi-ssl-0.11.1/package/build NEW/host/superscript.com/net/ucspi-ssl-0.11.1/package/build
--- OLD/host/superscript.com/net/ucspi-ssl-0.11.1/package/build 2019-11-07 11:21:18.000000000 -0500
+++ NEW/host/superscript.com/net/ucspi-ssl-0.11.1/package/build 2019-12-28 11:31:11.000000000 -0500
@@ -1 +1 @@
-20191107172118
+20191228173111
diff -Naur OLD/host/superscript.com/net/ucspi-ssl-0.11.1/src/sslclient.c NEW/host/superscript.com/net/ucspi-ssl-0.11.1/src/sslclient.c
--- OLD/host/superscript.com/net/ucspi-ssl-0.11.1/src/sslclient.c 2019-09-08 15:02:23.000000000 -0400
+++ NEW/host/superscript.com/net/ucspi-ssl-0.11.1/src/sslclient.c 2019-12-28 06:34:03.000000000 -0500
@@ -227,6 +227,7 @@
if (!stralloc_copys(&addresses,"")) nomem();
byte_copy(addresses.s,12,V4mappedprefix);
byte_copy(addresses.s + 12,4,ipremote + 12);
+ ipv4socket = 1;
} else if (ip6_scan(hostname,ipremote))
if (!stralloc_copyb(&addresses,ipremote,16)) nomem();
diff -Naur OLD/host/superscript.com/net/ucspi-ssl-0.11.1/src/sslserver.c NEW/host/superscript.com/net/ucspi-ssl-0.11.1/src/sslserver.c
--- OLD/host/superscript.com/net/ucspi-ssl-0.11.1/src/sslserver.c 2019-09-15 06:20:23.000000000 -0400
+++ NEW/host/superscript.com/net/ucspi-ssl-0.11.1/src/sslserver.c 2019-12-28 06:36:10.000000000 -0500
@@ -755,7 +755,7 @@
if (!addresses.len) {
if (!stralloc_copys(&tmp,hostname)) drop_nomem();
if (dns_ip6_qualify(&addresses,&fqdn,&tmp) <= 0)
- logmsg(WHO,111,FATAL,B("temporarily unable to figure out IP address for: ",(char *)hostname));
+ logmsg(WHO,111,FATAL,B("unable to figure out IP address for: ",(char *)hostname));
}
if (addresses.len < 16)
logmsg(WHO,111,FATAL,B("no IP address for: ",(char *)hostname));
|
|
|
|
- Added compatibility with fehQlibs-13.
- Fixed wrong behavior of sslserver/sslclient given a local or remote
IPv4 address. sslhandle is now an own program (man sslhandle.3).
- Code streamlined with ucspi-tcp6-1.11.0.
- Removed parenthesis from host in https@: [$host]:$port -> $host:port.
Tx, A.E.
- Fixed TLSv1* macro's names in ucspissl.h to match ssl_context.c.
- Clarified usage of 'SSL_CTX_set_ciphersuites()' in ssl_ciphers.c.
|
|
pkglint -Wall -F --only aligned --only indent -r
No manual corrections.
|
|
important diffs from 20190803110528 to 20190803131811. Set DIST_SUBDIR
and update checksum.
|
|
|
|
|
|
- Fixed potential stack corruption in sslclient/sslhandle/sslserver
while assigning hostname => 0.
- Improved OpenSSL + LibreSSL compatibility:
- LibreSSL 2.5 to 2.9 is working
- OpenSSL 1.0.2 to 1.1.1 is working
- Added SNI for sslclient.
- Fixes for sslhandle.
- Included new CIPHERLIST API for ssl_ciphers.
- Removed dependency on conf-tcpbin; modules are expected to be
in the path.
- Modules rts.base and rts.sslperl are working now.
|
|
|
|
|
|
|
|
- Added DSA/DSS (+ECC) signature verification additionally to RSA.
- Added compatibility with fehQlibs-12.
|
|
- Fixed broken evaluation of CIDR and IPv6 addresses;
adjusted with ucspi-tcp6-1.10.5.
- Improved compatibility with LibreSSL and included description.
|
|
- Added dualstack handling for servers applying the
pseudo IP address ':0' on call (common now for all servers).
- Tailored TLS error handling for EAGAIN end error codes.
- Rewrote IPv4 CIDR address evaluation for rules.
|
|
interoperable. Use Postfix's `tls_medium_cipherlist` instead. Bump
PKGREVISION.
|
|
|
|
|
|
- Better handling of read EAGAIN (sslserver may hang).
- Include socket_dualstack option (required for OS with IPv6_V6ONLY).
- fehQlibs-10 required.
|
|
|
|
- Complete refurbish based on fehQlibs.
- Native handling of IPv4/IPv6 address for sslclient.
- Added experimental 'ecdhparam' file.
- Removed experimental 'ecdhparam' handling -- OpenSSL does not support it.
- Finished TLS 1.3 integration (based on OpenSSL 1.1.1).
- Removed compiler flags for ECDH -- now required.
- fehQlibs-09 based.
|
|
|
|
|
|
|
|
- Fixed missing 'return 0' in ssl_params.c for ECDH handshake (tx. J.W.).
|
|
|
|
- Added `correct` pid display in error log.
- Fixed cosmetic bug in sslserver displaying parent and not child pid in log.
Tx Bruce Guenter.
pkgsrc changes:
- Adjust path to OpenSSL certs
- Install the provided example DH params
- Look for /etc/dnsrewrite under PKG_SYSCONFBASE
- Create a user and group for privilege separation
- Install manpages and more documentation
|
|
- Included PID in sslserver + sslhandle abend logs in case of SSL failure.
- Removed references to 'gcc' and used 'cc' instead.
- New build with better error log for ssl abends.
|
|
|
|
|
|
Included ucspi-ssl-0.70_ucspitls-0.6.patch (STARTTLS support)
originally designed and provided by Scott Gifford (FEH).
Added Certchain support for sslserver and sslclient (FEH).
Integration and added man-pages (FEH).
Synced with ucspi-tcp6-0.95.
Fixed integration bug in ssl_very.c.
Included patches from Peter Conrad.
Bug fix in sslserver. Several small
corrections.
Fix for large X509 serial numbers on x86 (tx. Peter Conrad).
SAN DNSname has precedence over CN in subject.
Re-edited man pages and rts tests.
Added IPv6 support (tx. to Felix von Leitner and Brandon Turner).
UI: Changed sslserver client cert call from '-i/-I' to '-z/-Z'
for compatibility reasons.
Added '-4/-6' support for client scripts.
Added output environment variables TCP6* for sslserver.
sslperl, sslhandle, and sslprint are not IPv6 ready yet.
Added IPv6 capabilities to sslhandle, sslprint, sslperl.
Changed verification of X.509 certs.
Removed obsolete socket_4 calls in sslserver.
Streamlined code with ucspi-tcp6-1.00.
Supplied new certs with customized SAN.
Make rts working (at least some how).
Added support for personalized client certs.
New option '-m' in sslserver, complementing '-z'.
CCAFILE='-' disables client cert request.
Added verbose log output for SSL connection informations.
Fixed wrongly nested CONNECT error code for sslclient.c
producing wrong warning messages while connecting to
an IPv4 address.
Added call of '-ldl' in ssl.lib.
Mitigation of SSL connection hanging during
coincident change of daylight-saving settings.
Fixed bug in sslserver's dnsip lookup in case of paranoid settings
and additonal existance of IPv6 AAAA records for incoming IPv4 connection.
Serveral fixes from 'troy@' included to cope with compiler errors and
to solve a bug in function getbitasaddress in ip4_bit.c (= ucspi-tcp6-1.02).
Reordered conf-* variables in main dir to allow easier generation of
packages (i.e. RPM). Fixed script to identify different HW architecture
and OS. This version works in 32 bit mode on Raspian Linux / RasPi 7.
Added ECDH capabilites (tx to Frank Bergmann for the patches).
Added compatibility with LibreSSL.
Fixed missing negative return call treatment from 'poll' (tx Frank Bergmann).
Tentative 'emake' fix for Gentoo build.
Added OpenSSL 1.1 tweaks -- works under Debian (9) 'Stretch'.
|
|
|
|
|
|
|
