kmx git

Commit	Date	Message
28b80754	2018-04-02T13:18:27	Fix build with LibreSSL 2.7 LibreSSL 2.7 implements OpenSSL 1.1 API except for BIO_get_init() See also: https://bugs.freebsd.org/226900 Signed-off-by: Bernard Spil <brnrd@FreeBSD.org> Closes: #617 (cherry-pick)
d057c45e	2017-01-28T16:42:13	Unbreak build with LibreSSL after openssl 1.1 support added Fixes: 3e9e0a0d46e4 ("Make it build using OpenSSL 1.1.0") Fixes: #445
3e9e0a0d	2016-09-19T22:05:15	Make it build using OpenSSL 1.1.0 Rebased (azat): - tabs instead of whitespaces - make openssl-compat.h safe for complex expressions - do not call sk_SSL_COMP_free() in 1.1 (fixes double free) TODO: - clean methods_bufferevent Closes: #397 (cherry-picked)
3316a210	2015-11-10T20:26:50	Add missing <string.h> for openssl_hostname_validation module Now it included by openssl, but nfter openssl/openssl@master-post-reformat-1494-g6329b60 it will print warning (apparently they dropped <string.h> from the generic headers).
e212c548	2014-01-22T13:19:49	Check for OSX when checking for clang.
0ef1d04e	2013-12-17T14:32:07	Get rid of unknown pragma warnings.
69c3516b	2013-12-17T13:28:23	Get rid of deprecation warnings for OpenSSL on OSX 10.7+
4db9da6b	2013-02-27T21:12:53	pull in wildcard matching code from cURL Now, https-client accepts both: https://ip.appspot.com/ (matching wildcard certificate) https://github.com/ (matching non-wildcard certificate) but still rejects https://www.kegel.com/ (non-matching wildcard certificate) which should match the behavior of these sites in a web browser.
6021cb50	2013-02-27T21:19:16	avoid sign mismatch warning in openssl_hostname_validation.c sample/openssl_hostname_validation.c: In function 'matches_common_name': sample/openssl_hostname_validation.c:80: warning: comparison between signed and unsigned integer expressions sample/openssl_hostname_validation.c: In function 'matches_subject_alternative_name': sample/openssl_hostname_validation.c:124: warning: comparison between signed and unsigned integer expressions
64d9f161	2013-02-27T17:16:27	use iSECPartners code to validate hostname in certificate The problem is that if you go to a website whose certificate does not match its hostname, it should fail. Try this in a web browser for https://www.kegel.com/ for example. Your web browser will say the certificate is for .pair.com, not for www.kegel.com, and won't let you visit it without clicking through a bunch of scary warnings. However, prior to this commit, https-client was happy to fetch https://www.kegel.com/ without complaining. That is bad. Now, with this commit, it will properly complain, which is good: pelletier@chives:~/src/libevent/sample$ ./https-client https://www.kegel.com/ Got 'MatchNotFound' for hostname 'www.kegel.com' and certificate: /C=US/postalCode=15203/ST=Pennsylvania/L=Pittsburgh/street=Suite 210/street=2403 Sidney Street/O=pair Networks, Inc./OU=Provided by pair Networks, Inc./OU=PairWildcardSSL $250,000/CN=.pair.com some request failed - no idea which one though! error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ppelletier@chives:~/src/libevent/sample$ It will still succeed for sites with an exactly-matching certificate, such as https://github.com/ and that is also good! However, the problem is that the iSECPartners code doesn't handle wildcards, which means we reject https://ip.appspot.com/ even though it is perfectly legitimate, because we don't understand the wildcard: ppelletier@chives:~/src/libevent/sample$ ./https-client https://ip.appspot.com/ Got 'MatchNotFound' for hostname 'ip.appspot.com' and certificate: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.appspot.com some request failed - no idea which one though! error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ppelletier@chives:~/src/libevent/sample$ So, we need to fix this. In other words, "to be continued..."

28b80754

2018-04-02T13:18:27

Fix build with LibreSSL 2.7 LibreSSL 2.7 implements OpenSSL 1.1 API except for BIO_get_init() See also: https://bugs.freebsd.org/226900 Signed-off-by: Bernard Spil <brnrd@FreeBSD.org> Closes: #617 (cherry-pick)

d057c45e

2017-01-28T16:42:13

Unbreak build with LibreSSL after openssl 1.1 support added Fixes: 3e9e0a0d46e4 ("Make it build using OpenSSL 1.1.0") Fixes: #445

3e9e0a0d

2016-09-19T22:05:15

Make it build using OpenSSL 1.1.0 Rebased (azat): - tabs instead of whitespaces - make openssl-compat.h safe for complex expressions - do not call sk_SSL_COMP_free() in 1.1 (fixes double free) TODO: - clean methods_bufferevent Closes: #397 (cherry-picked)

3316a210

2015-11-10T20:26:50

Add missing <string.h> for openssl_hostname_validation module Now it included by openssl, but nfter openssl/openssl@master-post-reformat-1494-g6329b60 it will print warning (apparently they dropped <string.h> from the generic headers).

e212c548

2014-01-22T13:19:49

Check for OSX when checking for clang.

0ef1d04e

2013-12-17T14:32:07

Get rid of unknown pragma warnings.

69c3516b

2013-12-17T13:28:23

Get rid of deprecation warnings for OpenSSL on OSX 10.7+

4db9da6b

2013-02-27T21:12:53

pull in wildcard matching code from cURL Now, https-client accepts both: https://ip.appspot.com/ (matching wildcard certificate) https://github.com/ (matching non-wildcard certificate) but still rejects https://www.kegel.com/ (non-matching wildcard certificate) which should match the behavior of these sites in a web browser.

6021cb50

2013-02-27T21:19:16

avoid sign mismatch warning in openssl_hostname_validation.c sample/openssl_hostname_validation.c: In function 'matches_common_name': sample/openssl_hostname_validation.c:80: warning: comparison between signed and unsigned integer expressions sample/openssl_hostname_validation.c: In function 'matches_subject_alternative_name': sample/openssl_hostname_validation.c:124: warning: comparison between signed and unsigned integer expressions

64d9f161

2013-02-27T17:16:27

use iSECPartners code to validate hostname in certificate The problem is that if you go to a website whose certificate does not match its hostname, it should fail. Try this in a web browser for https://www.kegel.com/ for example. Your web browser will say the certificate is for *.pair.com, not for www.kegel.com, and won't let you visit it without clicking through a bunch of scary warnings. However, prior to this commit, https-client was happy to fetch https://www.kegel.com/ without complaining. That is bad. Now, with this commit, it will properly complain, which is good: pelletier@chives:~/src/libevent/sample$ ./https-client https://www.kegel.com/ Got 'MatchNotFound' for hostname 'www.kegel.com' and certificate: /C=US/postalCode=15203/ST=Pennsylvania/L=Pittsburgh/street=Suite 210/street=2403 Sidney Street/O=pair Networks, Inc./OU=Provided by pair Networks, Inc./OU=PairWildcardSSL $250,000/CN=*.pair.com some request failed - no idea which one though! error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ppelletier@chives:~/src/libevent/sample$ It will still succeed for sites with an exactly-matching certificate, such as https://github.com/ and that is also good! However, the problem is that the iSECPartners code doesn't handle wildcards, which means we reject https://ip.appspot.com/ even though it is perfectly legitimate, because we don't understand the wildcard: ppelletier@chives:~/src/libevent/sample$ ./https-client https://ip.appspot.com/ Got 'MatchNotFound' for hostname 'ip.appspot.com' and certificate: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.appspot.com some request failed - no idea which one though! error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ppelletier@chives:~/src/libevent/sample$ So, we need to fix this. In other words, "to be continued..."

kc3-lang/libevent/sample/openssl_hostname_validation.c

sample/openssl_hostname_validation.c

Log