Age | Commit message (Collapse) | Author |
|
Fix certificate name verification done with tls_try_verify_hosts
Affected tls_verify_hosts, tls_try_verify_hosts, tls_verify_cert_hostnames.
|
|
connected-to, not be list of acceptable names. The name checked is the
host name.
|
|
EXPERIMENTAL_CERTNAMES)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
msg:complete
msg:fail:internal
msg:fail:delivery
|
|
Conflicts:
doc/doc-txt/ChangeLog
src/src/tls-openssl.c
src/src/transports/smtp.c
src/src/verify.c
|
|
Note this introduces incompatible changes; users who are compiling
the feature in, and with configuration files using it, will need to
change their configurations appropriately. See the experimental-spec.txt
file.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Since the max connections per host setting is computed and enforced
in the master listening process before the fork, there is no easy
way to get an accurate connection count once the Proxy Protocol
negotiation has been done (i.e. in a child process, after the
fork). Rather than try to use a shared mmap file using CAS in the
children to manipulate it, we just advise of a crude version of
max connections per IP be achieved by using ratelimit per_conn in
the connect ACL.
|
|
|
|
Enable EXPERIMENTAL_CERTNAMES to include.
|
|
The HAProxy dev team adjusted the layout of the 16 byte header to allow
it to be used for SSL connections. Had to adjust PPv2 handling code
and perl proxy emulation script.
Added link to this HAProxy commit in the documentation.
|
|
|
|
and smtp transport option hosts_request_ocsp
|
|
Requires GnuTLS version 3.1.3 or later.
Under EXPERIMENTAL_OCSP
|
|
Change recv() to not use MSGPEEK and eliminated flush_input().
Add proxy_target_address/port expansions.
Convert ipv6 decoding to memmove().
Use sizeof() for variable sizing.
Correct struct member access.
Enhance debug output when passed invalid command/family.
Add to and enhance documentation.
Client script to test Proxy Protocol, interactive on STDIN/STDOUT,
so can be chained (ie a swaks pipe), useful for any service, not
just Exim and/or smtp.
|
|
Previous patch introduced a change that could break existing SPF
configurations. Add back the two non-standard "err_temp" and
"err_perm" result values, with note that it is deprecated and
will be removed in a future release.
|
|
New variable is $dmarc_domain_policy
|
|
Introduces a small backwards incompatible change to two results,
err_temp to temperror and err_perm to permerror.
|
|
Rename proxy expansions conforming to Exim standards.
Update documentation to reflect rename.
Seperate restore socket function
|
|
Initial conf setting and expansions
Logging setting whether to record proxy host, off by default
Put PROXY processing before connect ACL
Fix incoming address logging
Add Proxy Protocol to ChangeLog
Set window for Proxy Protocol header to be sent
Update docs and EDITME.
|
|
Credit Axel Rau for careful proofreading.
|
|
Add want_experimental() test in the script to create the lookups
Makefile to ease detection of requested Experimental features, and
simplify the #ifdef guards in the redis.c.
|
|
master_dmarc_doc
|
|
Remove whitespace
|
|
|
|
|
|
|
|
|
|
Server:
Honor environment variable as well as running_in_test_harness in permitting bogus staplings
Update server tests
Add "-ocsp" option to client-ssl.
Server side: add verification of stapled status.
First cut server-mode ocsp testing.
Fix some uninitialized ocsp-related data.
Client (new):
Verify stapling using only the chain that verified the server cert, not any acceptable chain.
Add check for multiple responses in a stapling, which is not handled
Refuse verification on expired and revoking staplings.
Handle OCSP client refusal on lack of stapling from server.
More fixing in client OCSP: use the server cert signing chain to verify the OCSP info.
Add transport hosts_require_ocsp option.
Log stapling responses.
Start on tests for client-side.
Testing support:
Add CRL generation code and documentation update
Initial CA & certificate set for testing.
BUGFIX:
Once a single OCSP response has been extracted the validation
routine return code is no longer about the structure, but the actual
returned OCSP status.
|
|
|
|
|
|
|
|
|
|
Base text from Wolfgang Breyha.
I went over it as someone new to it, to make some obvious-to-experts-but-not-me fixes.
|
|
OpenSSL only.
|
|
I have also de-CVSed the ABOUT files and cleaned up a few
introductory comments.
|