summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2021-06-01 Add all the missing pieces for sni_policyLaurent Bercot
sbearssl_server_init_and_run is yet unchanged, the next step is to rewrite it using the new primitives.
2021-05-30 bugfix: -l option in s6-tlsserver takes an argLaurent Bercot
2021-05-30 Start work on bearssl server-side sniLaurent Bercot
2021-05-28 Server-side SNI, libtls versionLaurent Bercot
Implementation for bearssl coming soon.
2021-05-27 All good, remove debug instructionsLaurent Bercot
2021-05-27 Remove backtraces; add verification impls to server enginesLaurent Bercot
2021-05-27 Add backtrace invocation to debug spurious get_pkey callLaurent Bercot
2021-05-25 More debug commandsLaurent Bercot
2021-05-22 bugfix: tcpserver should unignore SIGPIPELaurent Bercot
2021-05-21 Trivial syscall number optimizationLaurent Bercot
2021-05-20 Debugging iterationLaurent Bercot
2021-05-20 Add an x509 engine wrapping minimal. NOT FUNCTIONAL, FOR TESTING.Laurent Bercot
2021-05-18 Prepare for 2.4.2.0; implement client certificates with bearsslLaurent Bercot
Also send a bit more environment with libtls
2021-05-08 sbearssl cosmetic fixesLaurent Bercot
2021-01-28 Remove SSL_TLS_SNI_SERVERNAME (instead of defined but empty) if no SNILaurent Bercot
2021-01-28 Prepare for 2.4.1.0; add SSL_TLS_SNI_SERVERNAMELaurent Bercot
2021-01-18 Tiny code and doc fixesLaurent Bercot
2021-01-13 Implement handshake timeout for libtls backendLaurent Bercot
2020-12-09 Get rid of webipc.hLaurent Bercot
2020-12-07 Change -K semantics: timeout *during handshake*, not afterwardsLaurent Bercot
- the TLS tunnel itself should be transparent so it has no business shutting down the connection no matter how long the app takes - there's still an undetectable situation on some kernels where EOF doesn't get transmitted from the network, and the engine is in the handshake, and it can't do anything but wait forever. A timeout is useful here: dawg, your peer is never going to send any more data, you should just give up. - if the situation happens after the handshake, the *app* should have a timeout and die. The tunnel will follow suit. - libtls has a blocking tls_handshake() blackbox, we cannot give it a timeout. Too bad, use bearssl.
2020-11-30 Fix build with skalibs 2.10.0.0; document dependenciesLaurent Bercot
2020-11-26 Convert to new exec.h syntaxLaurent Bercot
2020-11-26 That exit condition is really hard to get right >.>Laurent Bercot
2020-11-26 Fix engine exit condition for sbearsslLaurent Bercot
2020-11-23 minidentd QoL fixLaurent Bercot
2020-11-23 stls client: prefer CAFILE, warn on CADIR use, because libtls is brokenLaurent Bercot
2020-11-23 Fix more bugs; disable renegociation in bearssl clientLaurent Bercot
2020-11-22 Fix a few bugs. sbearssl appears to be working.Laurent Bercot
2020-11-22 Add SSL_PROTOCOL and SSL_CIPHER support, fix some bugsLaurent Bercot
2020-11-22 Add documentation, fix tiny privdrop bugLaurent Bercot
2020-11-21 Move all tls stuff into its own subdirLaurent Bercot
2020-11-21 Add s6-ucspitlscLaurent Bercot
2020-11-21 Prepare for 2.4.0.0Laurent Bercot
2020-11-21 Privs can only be dropped after reading key files.Laurent Bercot
2020-11-20 Refactor tls code to support ucspi-tlsLaurent Bercot
That includes: - new architecture: the tls binary is now a child of the app instead of the other way around - the sbearssl_run engine now takes a post-handshake callback. This allows s6-tlsc and s6-tlsd to only exec into the app when the handshake succeeds (which was already the case with libressl). - new binaries s6-tlsc-io and s6-tlsd-io encapsulate the crypto code; they init and run the engine, connecting to 4 already open fds (stdin/stdout = network, argv[1] and argv[2] = local) - s6-tlsc is now a simple wrapper around s6-tlsc-io - s6-tlsd is now a simple wrapper around s6-tlsd-io - new binary: s6-ucspitlsd, which is also a wrapper around s6-tlsd-io, but differently: the parent execs the app which should be ucspi-tls-aware, the child waits for a command from the parent and execs into s6-tlsd-io if it receives it.
2020-05-06 Add -e option to s6-tlsserverLaurent Bercot
2019-09-21 Remove tainnow.lib dependencyLaurent Bercot
2019-09-06 Adapt to new stopwatch APILaurent Bercot
2019-09-04 Use stopwatches and wallclocks where appropriateLaurent Bercot
2019-05-14 Different code style for the maxconn spurious warning avoidanceLaurent Bercot
2019-02-20 Adapt to skalibs/posixishard.hLaurent Bercot
2018-10-06 bugfix: have s6-tcpserver?d write localport to stdout on notifLaurent Bercot
and not just a newline.
2018-08-01 Add nsss supportLaurent Bercot
2018-07-21 Adapt to skalibs-2.7.0.0, prepare for 2.3.0.3Laurent Bercot
2018-04-11change localip is6 flag based on destination ipJohn Regan
By default, the localip flag is initialized with the is6 flag set to 0. The only time the flag is changed to 1 is when a user specifies a local IPv6 address to use. Because of this, socket_tcp46 always creates an IPv4 socket. This patch corrects that - if the user hasn't specified a local address, then the local 'is6' flag is updated to match the destination 'is6' flag. Signed-off-by: Laurent Bercot <ska-skaware@skarnet.org>
2018-04-11 Add -B (blocking) option to s6-tcpserver?-socketbinderLaurent Bercot
2017-09-13 bugfix: spurious error message in s6-tcpserver?d when maxed connectionsLaurent Bercot
2017-08-28 Moderately big hammer: force kill on s6-tlsd when it has nothing to write ↵Laurent Bercot
to the network
2017-08-28 Revert big hammer. Data still needs to be flushed to the network even when ↵Laurent Bercot
the local app dies.
2017-08-22 Optimize to xpathexec ; prepare for 2.3.0.2Laurent Bercot