0-dns-cert.pem and 0-dns-key.pem were stored in `test/fixtures/key`
directory, but the cert file cannot be created with the openssl
command via Makefile.
Added a script to create it with using `asn1.js` and
`asn1.js-rfc5280` and moved them out of key directory and put into
`test/fixtures/0-dns`.
The domains listed in the cert were also changed into example.com and
example.org to show the use for only testing.
Fixes: https://github.com/nodejs/node/issues/10228
PR-URL: https://github.com/nodejs/node/pull/11579
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Load the certificate chain from the PFX file the same as we do it for a
regular certificate chain.
Fix: #4127
PR-URL: https://github.com/nodejs/node/pull/4165
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Check that invalid DSA key sizes are rejected in FIPS mode.
PR-URL: https://github.com/nodejs/node/pull/3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
Several test fixtures use use weak crypto (e.g. RC4 or MD5).
Rgenerated the test fixtures to be compatible with FIPS mode.
PR-URL: https://github.com/nodejs/node/pull/3759
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Do not enable ClientHello parser for async SNI/OCSP. Use new
OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and
load the cert/OCSP response asynchronously. Hopefuly this will make
whole async SNI/OCSP process much faster and will eventually let us
remove the ClientHello parser itself (which is currently used only for
async session, see #1462 for the discussion of removing it).
NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use
`SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this
feature.
Fix: https://github.com/iojs/io.js/issues/1423
PR-URL: https://github.com/iojs/io.js/pull/1464
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
In newly introduced `SafeX509ExtPrint` I forgot to insert separators
between extensions, which lead to the "DNS:...DNS:..." thing for npm.
Fix: iojs/io.js#105
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: https://github.com/iojs/io.js/pull/113.patch
Strings are treated as UTF8 instead of one-byte strings when
names are processed and when OpenSSL's ..._print functions are used.
This commit fixes simple/test-tls-peer-certificate-encoding test.
fix#8366
In case of an invalid DH parameter file, it is sliently discarded. To
use auto DH parameter in a server and DHE key length check in a
client, we need to wait for the next release of OpenSSL-1.0.2.
Reviewed-By: Fedor Indutny <fedor@indutny.com>