| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
|
|
|
|
PP/22
Report from Prashanth Katuri.
This variant ensures that if TLS won't be activated because of
compile-time guards, but was requested, then we at least debug-log _why_
we're not doing anything.
|
|
Report and fix from Heiko Schlichting.
Fixes 1363.
|
|
|
|
Submitted by: Paul Osborne <paul.osborne@canterbury.ac.uk>
|
|
|
|
This is for reporting mailer activity without going via the log files.
|
|
This converts octets outside the range 0x21-0x7E (the ASCII
graphic characters) to \xNN hex escapes.
|
|
|
|
|
|
|
|
Refactored smtp transport to pull out AUTH-related routines so they could be
also called from the verify code.
Bugs 321, 823.
|
|
This is gross hackery and somewhat fragile. A better method would
actuallyt compile the 'C' involved and check programmatically.
|
|
Was placed in non-alphabetical order.
|
|
Call out the dangers of use_shell in the security considerations
chapter.
Call out a number of related dangers too.
|
|
|
|
|
|
|
|
|
|
Remove SPF domain synthesis, just use HELO.
|
|
|
|
Fix a few cosmetic differences.
|
|
|
|
|
|
Changes the $more variable to just cat the changes to STDOUT and not
pipe it through less or more.
|
|
|
|
* ocsp_staple_rollup:
tidying
OCSP-stapling enhancement and testing.
|
|
|
|
Reported by Heiko Schlichting.
fixes 1345
|
|
Note that this function is never going to be called pre-fork unless the
admin is doing something highly unusual with ${randint:..} in a context
evaluated in the listening daemon. Other forks should result in a
re-exec(), thus resetting state.
Nonetheless, be more cautious, explicitly reset state.
Fix per PostgreSQL.
PS: why does OpenSSL not document RAND_cleanup() on the same page as all
the other entropy pool maintenance functions?
|
|
Work by J. Nick Koston, for cPanel, Inc.
|
|
|
|
Normally when a router redirects an address directly to a pipe command
the command option on the transport is ignored. If force_command
is set, the command option will expanded and used. This is especially
useful for forcing a wrapper or additional argument to be added to the
command.
|
|
Server:
Honor environment variable as well as running_in_test_harness in permitting bogus staplings
Update server tests
Add "-ocsp" option to client-ssl.
Server side: add verification of stapled status.
First cut server-mode ocsp testing.
Fix some uninitialized ocsp-related data.
Client (new):
Verify stapling using only the chain that verified the server cert, not any acceptable chain.
Add check for multiple responses in a stapling, which is not handled
Refuse verification on expired and revoking staplings.
Handle OCSP client refusal on lack of stapling from server.
More fixing in client OCSP: use the server cert signing chain to verify the OCSP info.
Add transport hosts_require_ocsp option.
Log stapling responses.
Start on tests for client-side.
Testing support:
Add CRL generation code and documentation update
Initial CA & certificate set for testing.
BUGFIX:
Once a single OCSP response has been extracted the validation
routine return code is no longer about the structure, but the actual
returned OCSP status.
|
|
This per Tony's suggestion; this makes it clearer that we are merely
setting resolver flags, not performing validation ourselves.
Well, clearer to those who understand DNSSEC. For everyone else,
they'll still be dependent upon a forthcoming new chapter to the
Specification.
|
|
New behaviour matches GnuTLS handling, and is documented.
Previously, a tls_verify_certificates expansion forced failure was the
only portable way to avoid setting this option. Now, an empty string is
equivalent.
|
|
Resolves:
gcc receive.c
receive.c:520: warning: 'smtp_user_msg' defined but not used
|
|
Base patch by Alain Williams.
Tweaked, to avoid putting an IPv6-dependency into the default
uncommented form, and some rewording.
Bugzilla 880.
GitHub PR #1.
|
|
|
|
Issue debugged by Todd Lyons, this fix from me.
|
|
|
|
|
|
|
|
|
|
|
|
Define SIOCGIFCONF_GIVES_ADDR in OS/os.h-GNU
Fixes 1331.
|
