*This patch is dependent on https://github.com/wolfSSL/wolfssl/pull/3871 because proto version selection logic is refactored in that pull request.*
This patch contains the following changes:
- Enable more options with `--enable-haproxy`
- Compatibility layer additions
- `STACK_TYPE_X509_OBJ`
- `OCSP_id_cmp`
- `X509_STORE_get0_objects`
- `X509V3_EXT_nconf_nid`
- `X509V3_EXT_nconf`
- `X509_chain_up_ref`
- `X509_NAME_hash`
- `sk_X509_NAME_new_null`
- `X509_OBJECT_get0_X509`
- `X509_OBJECT_get0_X509_CRL`
- `ASN1_OCTET_STRING_free`
- `X509_LOOKUP_TYPE`
- `OSSL_HANDSHAKE_STATE`
- New `OPENSSL_COMPATIBLE_DEFAULTS` define will set default behaviour that is compatible with OpenSSL
- WOLFSSL_CTX
- Enable all compiled in protocols
- Allow anonymous ciphers
- Set message grouping
- Set verify to SSL_VERIFY_NONE
- In `SetSSL_CTX`, don't change `send` and `recv` callback if currently using `BIO`
- `ssl->peerVerifyRet`
- Return first that occured
- Set correct value on date error
- Set revoked error on OCSP or CRL error
- Save value in session and restore on resumption
- Add to session serialization
- With `OPENSSL_EXTRA`, send an alert on invalid downgrade attempt
- Handle sni callback `SSL_TLSEXT_ERR_NOACK`
- Add `WOLFSSL_VERIFY_DEFAULT` option for `wolfSSL_CTX_set_verify` and `wolfSSL_set_verify` to allow resetting to default behaviour
* Added async support to `SendTls13ClientHello`, `DoTls13ServerHello` and `DoTls13ClientHello`.
* Cleanup of the example client/server use key share code.
* Fix some scan-build warnings.
ZD 12065
See RFC 8446: 4.2.11
With TLS 1.3 PSK callback, If the returned cipher suite isn't available,
use the hash from the cipher suite and choose from available list.
Require exact match when: WOLFSSL_TLS13_PSK_NO_MATCH_HASH
Alternative callback for client added that is passed a cipher suite
string. Called for each cipher suite that is to be negotiated.
If cipher suite to be used with PSK then return client identity.
Returning an identity based on cipher suite hash will result in
only one PSK extension being added per hash.
- The `ssl->dtlsMtuSz` value is the maximum possible size of the DTLS record layer. We read `ssl->dtlsMtuSz + 100` in case peer has slightly different MTU set.
- The `-u` option in the examples takes the value of the MTU size.
- MTU tests are added in `tests/test-dtls-mtu.conf`
* Fix for SNI callback on server to make sure the SNI data is stored even without setting a hostname. This makes sure the SNI extension is set when there is a registered SNI recv callback.
* Fix for Apache HTTPD to include `WOLFSSL_ALWAYS_KEEP_SNI`
- I observed that client TX throughput < client RX throughput, but server TX
throughput > server RX throughput. Turns out this is just a typo in the
printing of the stats. The RX stat was being printed as the TX stat and vice-
versa.
- I added a note to scripts/benchmark.test about a 2 second sleep we do waiting
for the server to come up. If you were to time this script with the time
command, you'll see that 2 seconds in the result, which might be confusing
if you didn't realize the sleep was there.
- Add this option as "-6."
- Turn on non-blocking mode if WANT_WRITE simulation is enabled.
- Create a send IO callback that gets registered when this option is turned on.
This callback alternates between letting the TX through and returning a
WANT_WRITE error.
Lealem Amedie
Juliusz Sosinowicz
Hideki Miyazaki
David Garske
Daniel Pouzzner
Sean Parkinson
toddouska
Tesfa Mael
JacobBarthelmeh
Eric Blankenhorn
Chris Conlon
Hayden Roche
Glenn Strauss
John Safranek