]> git.ipfire.org Git - thirdparty/openssl.git/commit - doc/man3/SSL_CTX_dane_enable.pod
projects / thirdparty / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d83b7e1) | patch
Perform DANE-EE(3) name checks by default
authorViktor Dukhovni <openssl-users@dukhovni.org>
Mon, 11 Jul 2016 00:36:02 +0000 (20:36 -0400)
committerViktor Dukhovni <openssl-users@dukhovni.org>
Tue, 12 Jul 2016 14:16:34 +0000 (10:16 -0400)
commit5ae4ceb92c2ae6c677b1de2c477dce71a4d94716
treee3df5a313a7e45524115e1cca438256f0405bd6atree | snapshot
parentd83b7e1a580b2f68a041d178e91e9495ec95e383commit | diff
Perform DANE-EE(3) name checks by default

In light of potential UKS (unknown key share) attacks on some
applications, primarily browsers, despite RFC761, name checks are
by default applied with DANE-EE(3) TLSA records.  Applications for
which UKS is not a problem can optionally disable DANE-EE(3) name
checks via the new SSL_CTX_dane_set_flags() and friends.

Reviewed-by: Rich Salz <rsalz@openssl.org>
crypto/x509/x509_vfy.c diff | blob | blame | history
doc/ssl/SSL_CTX_dane_enable.pod diff | blob | blame | history
include/internal/dane.h diff | blob | blame | history
include/openssl/ssl.h diff | blob | blame | history
include/openssl/x509_vfy.h diff | blob | blame | history
ssl/ssl_lib.c diff | blob | blame | history
test/danetest.c diff | blob | blame | history
test/danetest.in diff | blob | blame | history
A mirror of the official openssl repository