1. 21 Nov, 2018 2 commits
    • Michael Catanzaro's avatar
      Deprecate TLS rehandshake APIs · 85f7d493
      Michael Catanzaro authored
      Allowing unsafe rehandshakes used to be required for web compatibility,
      but this is no longer a concern in 2018. So there should no longer be
      compatibility benefits to calling this function. All it does is make
      your TLS connection insecure.
      
      Also, rehandshaking no longer exists at all in TLS 1.3.
      
      At some point (maybe soon!) glib-networking will begin ignoring the
      rehandshake mode, so let's deprecate it now.
      85f7d493
    • Michael Catanzaro's avatar
      Update documentation of g_tls_connection_handshake() one last time · 2031e37d
      Michael Catanzaro authored
      Let's entirely deprecate calling this function for rehandshaking. The
      current documentation is OK, but guarantees defined behavior (to attempt
      a rehandshake) when TLS 1.2 is in use. But there's no way to force TLS
      1.2, and also no way to check which version of TLS is in use. I really
      should have deprecated use of this function for rehandshaking entirely
      last time I updated it.
      
      Fortunately, there should be no compatibility risk for existing code,
      because rehandshaking has no visible effects at the API level.
      2031e37d
  2. 12 Nov, 2018 1 commit
    • Michael Catanzaro's avatar
      Update documentation of g_tls_connection_handshake() again · 68878ab5
      Michael Catanzaro authored
      I made a mistake when last updating the documentation in 94a99ae9. I
      wrote that, with TLS 1.3, this would perform a rekey instead of a
      rehandshake. In fact, that's only true for client connections. For
      server connections, it's a no-op.
      
      I was a bit nervous about how to document the behavior anyway, because
      we really don't know what behavior will be reasonable with non-GnuTLS
      crypto backends. This behavior is reasonable for the GnuTLS backend, but
      might not necessarily make sense for OpenSSL. Ideally, we would
      discourage API users from doing things which could have unexpected
      effects, so instead of documenting what the GnuTLS backend does, I think
      it'd be better to document that this is "undefined but not dangerous,"
      since of course we want to make sure that existing code that doesn't
      know about TLS 1.3 is not broken.
      68878ab5
  3. 27 Jul, 2018 1 commit
  4. 29 May, 2017 1 commit
  5. 22 Nov, 2016 1 commit
  6. 12 Oct, 2016 1 commit
  7. 18 Jan, 2016 1 commit
    • Philip Withnall's avatar
      gio: Add DTLS interfaces · c3d6934f
      Philip Withnall authored
      Add a new GDtlsConnection interface, plus derived GDtlsClientConnection
      and GDtlsServerConnection interfaces, for implementing Datagram TLS
      support in glib-networking.
      
      A GDtlsConnection is a GDatagramBased, so may be used as a normal
      datagram socket, wrapping all datagrams from a base GDatagramBased in
      DTLS segments.
      
      Test cases are included in the implementation in glib-networking.
      
      https://bugzilla.gnome.org/show_bug.cgi?id=752240
      c3d6934f
  8. 11 Jan, 2016 1 commit
  9. 06 Nov, 2015 1 commit
  10. 20 Feb, 2014 1 commit
  11. 08 Feb, 2014 1 commit
  12. 06 Feb, 2014 1 commit
  13. 31 Jan, 2014 1 commit
  14. 28 Aug, 2012 2 commits
  15. 31 Mar, 2012 1 commit
  16. 11 Aug, 2011 1 commit
  17. 04 Aug, 2011 1 commit
  18. 19 Jul, 2011 1 commit
  19. 20 Jun, 2011 1 commit
  20. 04 Jun, 2011 1 commit
  21. 22 Dec, 2010 1 commit
  22. 07 Dec, 2010 4 commits
    • Dan Winship's avatar
      Change the handling of the peer certificate in GTlsConnection · f5c3e0d3
      Dan Winship authored
      Make the certificate and peer-certificate properties virtual, and add
      peer-certificate-errors as well. Change the documentation on
      peer-certificate to say that it's not set until after the handshake
      succeeds (which means notify::peer-certificate can be used to tell
      when a handshake has completed).
      f5c3e0d3
    • Dan Winship's avatar
      Change the semantics of GTlsConnection:require-close-notify · 4f6efb68
      Dan Winship authored
      We were combining "allow un-notified closes" and "close without
      notifying" into a single property, which meant that it was impossible
      to "be liberal in what you accept and conservative in what you send".
      Change require-close-notify to only be about the peer behavior, and
      make our connections always close-notify properly when closing (while
      noting that you can just close the base-io-stream directly if you want
      to do an unclean close).
      4f6efb68
    • Dan Winship's avatar
      Remove GTlsConnection::need-certificate · 95cba183
      Dan Winship authored
      Trying to do this as a signal won't work well with either
      GTlsCertificateDB (in which case looking up a certificate in the db is
      a blocking/asynchronous act) or session resumption support (in which
      case the certificate or lack thereof is part of the session definition
      and so needs to be known immediately). Make the caller use
      g_tls_connection_set_certificate() ahead of time (or when retrying)
      instead.
      95cba183
    • Dan Winship's avatar
      Add GTlsConnection:use-system-certdb · d6e94070
      Dan Winship authored
      This can be set FALSE if you don't want to validate certificates
      against the system database.
      d6e94070
  23. 29 Nov, 2010 1 commit
  24. 26 Nov, 2010 1 commit