103ed08549
Previously, we'd omitted OpenSSL's OCSP APIs because they depend on a complex OCSP mechanism and encourage the the unreliable server behavior that hampers using OCSP stapling to fix revocation today. (OCSP responses should not be fetched on-demand on a callback. They should be managed like other server credentials and refreshed eagerly, so temporary CA outage does not translate to loss of OCSP.) But most of the APIs are byte-oriented anyway, so they're easy to support. Intentionally omit the one that takes a bunch of OCSP_RESPIDs. The callback is benign on the client (an artifact of OpenSSL reading OCSP and verifying certificates in the wrong order). On the server, it encourages unreliability, but pyOpenSSL/cryptography.io depends on this. Dcument that this is only for compatibility with legacy software. Also tweak a few things for compatilibility. cryptography.io expects SSL_CTX_set_read_ahead to return something, SSL_get_server_tmp_key's signature was wrong, and cryptography.io tries to redefine SSL_get_server_tmp_key if SSL_CTRL_GET_SERVER_TMP_KEY is missing. Change-Id: I2f99711783456bfb7324e9ad972510be8a95e845 Reviewed-on: https://boringssl-review.googlesource.com/28404 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com> |
||
---|---|---|
.. | ||
test | ||
bio_ssl.cc | ||
CMakeLists.txt | ||
custom_extensions.cc | ||
d1_both.cc | ||
d1_lib.cc | ||
d1_pkt.cc | ||
d1_srtp.cc | ||
dtls_method.cc | ||
dtls_record.cc | ||
handoff.cc | ||
handshake_client.cc | ||
handshake_server.cc | ||
handshake.cc | ||
internal.h | ||
s3_both.cc | ||
s3_lib.cc | ||
s3_pkt.cc | ||
span_test.cc | ||
ssl_aead_ctx.cc | ||
ssl_asn1.cc | ||
ssl_buffer.cc | ||
ssl_cert.cc | ||
ssl_cipher.cc | ||
ssl_file.cc | ||
ssl_key_share.cc | ||
ssl_lib.cc | ||
ssl_privkey.cc | ||
ssl_session.cc | ||
ssl_stat.cc | ||
ssl_test.cc | ||
ssl_transcript.cc | ||
ssl_versions.cc | ||
ssl_x509.cc | ||
t1_enc.cc | ||
t1_lib.cc | ||
tls13_both.cc | ||
tls13_client.cc | ||
tls13_enc.cc | ||
tls13_server.cc | ||
tls_method.cc | ||
tls_record.cc |