103ed08549
Previously, we'd omitted OpenSSL's OCSP APIs because they depend on a complex OCSP mechanism and encourage the the unreliable server behavior that hampers using OCSP stapling to fix revocation today. (OCSP responses should not be fetched on-demand on a callback. They should be managed like other server credentials and refreshed eagerly, so temporary CA outage does not translate to loss of OCSP.) But most of the APIs are byte-oriented anyway, so they're easy to support. Intentionally omit the one that takes a bunch of OCSP_RESPIDs. The callback is benign on the client (an artifact of OpenSSL reading OCSP and verifying certificates in the wrong order). On the server, it encourages unreliability, but pyOpenSSL/cryptography.io depends on this. Dcument that this is only for compatibility with legacy software. Also tweak a few things for compatilibility. cryptography.io expects SSL_CTX_set_read_ahead to return something, SSL_get_server_tmp_key's signature was wrong, and cryptography.io tries to redefine SSL_get_server_tmp_key if SSL_CTRL_GET_SERVER_TMP_KEY is missing. Change-Id: I2f99711783456bfb7324e9ad972510be8a95e845 Reviewed-on: https://boringssl-review.googlesource.com/28404 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com> |
||
|---|---|---|
| .. | ||
| asn1.errordata | ||
| bio.errordata | ||
| bn.errordata | ||
| cipher.errordata | ||
| CMakeLists.txt | ||
| conf.errordata | ||
| dh.errordata | ||
| digest.errordata | ||
| dsa.errordata | ||
| ec.errordata | ||
| ecdh.errordata | ||
| ecdsa.errordata | ||
| engine.errordata | ||
| err_data_generate.go | ||
| err_test.cc | ||
| err.c | ||
| evp.errordata | ||
| hkdf.errordata | ||
| internal.h | ||
| obj.errordata | ||
| pem.errordata | ||
| pkcs7.errordata | ||
| pkcs8.errordata | ||
| rsa.errordata | ||
| ssl.errordata | ||
| x509.errordata | ||
| x509v3.errordata | ||