1. 08 Mar, 2017 2 commits
    • Kevin J. McCarthy's avatar
      Move the OpenSSL partial chain support check inside configure.ac. (see #3916) · a51d6478
      Kevin J. McCarthy authored
      Instead of directly checking whether X509_V_FLAG_PARTIAL_CHAIN is
      defined everywhere, do it once inside configure.  This will allow
      better support in the future if the test needs to change.
      a51d6478
    • Matthias Andree's avatar
      Add $ssl_verify_partial_chains option for OpenSSL. (closes #3916) · f4fbf0bb
      Matthias Andree authored
      The reworked OpenSSL certificate validation took away a "feature" of
      the previous implementation: the ability to reject a node in the chain
      and yet continue to the next node.
      
      If this new option is set to 'yes', enables OpenSSL's
      X509_V_FLAG_PARTIAL_CHAIN flag to reinstate the functionality and permit
      to use a non-root certificate as the trust anchor.
      
      This option is only available if OpenSSL offers the
      X509_V_FLAG_PARTIAL_CHAIN macro, which should be the case as of 1.0.2b
      or later.
      
      Code written by Kevin McCarthy and Matthias Andree.
      f4fbf0bb
  2. 05 Mar, 2017 2 commits
    • Kevin J. McCarthy's avatar
      merge stable · 5f112a84
      Kevin J. McCarthy authored
      5f112a84
    • Kevin J. McCarthy's avatar
      Increase ACCOUNT.pass field size. (closes #3921) · 52949004
      Kevin J. McCarthy authored
      #3921 reported his password token used for Google XOAUTH2 is size 129.
      The ACCOUNT structure currently uses a size 128 buffer.  Who knew a
      password field would ever be bigger than that?
      
      Since the ACCOUNT structure has no allocation/dellocation routines,
      the easiest fix is to increase the size.  Bump the size up to 256.
      52949004
  3. 02 Mar, 2017 6 commits
  4. 24 Feb, 2017 4 commits
  5. 23 Feb, 2017 1 commit
  6. 22 Feb, 2017 3 commits
  7. 20 Feb, 2017 2 commits
  8. 18 Feb, 2017 3 commits
  9. 16 Feb, 2017 3 commits
  10. 13 Feb, 2017 1 commit
  11. 12 Feb, 2017 4 commits
    • Matthias Andree's avatar
      Show SHA1 fp in interactive cert check menu. · 1a30ca30
      Matthias Andree authored
      While here, fix a few compiler warnings about sign mismatch in comparison.
      1a30ca30
    • Kevin J. McCarthy's avatar
      Fix potential cert memory leak in check_certificate_by_digest(). · c14dd495
      Kevin J. McCarthy authored
      Thanks to Matthias Andree's debugging, it appears the cert is not
      freed when PEM_read_X509() encounters EOF.  Change the return value
      check to not overwrite cert.  It is already updated via the second
      parameter.
      c14dd495
    • Matthias Andree's avatar
      Plug memory leak in weed-expired-certs code. · fb869a5f
      Matthias Andree authored
      X509_STORE_add_cert() creates a copy of the certificate we're offering,
      so we need to free our copy afterwards.  This isn't documented, but from
      observed behaviour in OpenSSL 1.0.2 and its master branch source code.
      
      Change PEM_read_X509() call to reuse cert to avoid free/reallocation
      overhead.
      fb869a5f
    • Kevin J. McCarthy's avatar
      Filter expired local certs for OpenSSL verification. · 4500b8d1
      Kevin J. McCarthy authored
      OpenSSL has trouble establishing the chain and verifying when
      duplicate expired certs are loaded in from $certificate_file.  A
      warning about this is mentioned in
      SSL_CTX_load_verify_locations(3SSL).
      
      Filter out expired certs when loading verify certs.  Note that the
      full certicates file is still used for verification in
      check_certificate_by_digest().
      4500b8d1
  12. 10 Feb, 2017 3 commits
  13. 08 Feb, 2017 3 commits
    • Kevin J. McCarthy's avatar
      Fix build for bdb. · b69ef1c3
      Kevin J. McCarthy authored
      Changeset fca7e504ab6a removed #else/#endif around two blocks of code
      that won't compile with bdb enabled.  Restore those directives.
      
      Thanks to Richard Russon for pointing out the problem and saving me
      from having egg all over my face with the 1.8 release!
      b69ef1c3
    • Kevin J. McCarthy's avatar
      Create function to free header cache data. · 2353e296
      Kevin J. McCarthy authored
      Kyoto Cabinet documents that data from it should be freed via
      kcfree().
      
      LMDB claims ownership of the data returned, so convert its free
      operation to be a noop and remove the malloc from its fetch function.
      2353e296
    • Kevin J. McCarthy's avatar
      Add Kyoto Cabinet support to the header cache. · 046fb469
      Kevin J. McCarthy authored
      Retain the defaults as they are, although we might switch to Kyoto
      Cabinet for the next major release.
      046fb469
  14. 04 Feb, 2017 2 commits
  15. 31 Jan, 2017 1 commit