1c5f0b5c81
Graceful Schannel context shutdown added, but session resumption still does not work :(
2016-09-01 15:42:57 +02:00
56e2448f71
Clearing session resumption for ownTLS added.
...
(Have yet to learn how do you do this for Schannel. Better yet: How do you make Schannel resume a session in the first place.)
2016-09-01 14:59:03 +02:00
1e60d21860
On session reconnect skip inner re-authentication now
2016-09-01 12:49:20 +02:00
844b185887
EAP packet classes organized in hierarchy now
2016-09-01 10:25:33 +02:00
171e924dcf
Estimated flag to enable TLS 1.3 once available added
2016-08-31 18:40:28 +02:00
281c3ee083
Schannel tweaked to support TLS 1.2 now
...
(closes #16 )
2016-08-31 18:13:24 +02:00
c9be6f4f7b
Support for multiple identity providers of draft-winter-opsawg-eap-metadata XML configuration added
2016-08-31 14:39:27 +02:00
452fa4b9dc
Inserting single-occurrence XML elements with children simplified
2016-08-31 09:48:11 +02:00
68aec5dfb4
Namespace name is static member now
2016-08-31 08:43:03 +02:00
cafd786e19
Own TLS updated to keep it alive (now that the fuss around outer/inner methods settled)
2016-08-29 20:40:37 +02:00
a7c8052ee2
eap::method revised to support nesting, so the PAP method was made a stand-alone method
2016-08-29 20:05:58 +02:00
b6ae394eaf
User identity derived from certificate is using sAN2 and sAN extensions only now
2016-08-29 13:51:19 +02:00
79499d7afd
i and i disambiguation
2016-08-29 13:50:36 +02:00
df680e74f6
TLS credentials are considered empty regardless the state of custom identity setting now
2016-08-28 20:05:41 +02:00
fc5e54db05
Inner configuration/credential management virtualized to reduce cluttering code
2016-08-28 17:20:24 +02:00
9daa5b52a4
Incorrect letter case referencing EapHost service fixed
2016-08-27 06:58:57 +02:00
6077063599
The credentials are marked "invalid" at transition from handshake to application data phase only to prevent initial handshake problems from popping-up credential prompt when credentials have nothing to do with the connection failure.
2016-08-25 13:08:11 +02:00
2857b2edd2
First application data message is now appended piggyback to the last client handshake message
...
(Hopefully resolving issue with Radiator)
2016-08-25 13:00:47 +02:00
6760287f0d
Duplicate log record of EAP-TLS handshake removed
2016-08-25 12:58:56 +02:00
7973a8d59b
Handshake log events are a bit more specific now
2016-08-25 12:57:47 +02:00
d1c24efcf0
config_method_with_cred renamed to config_connection to describe it better
2016-08-24 11:39:37 +02:00
38e1443276
Logging of handshake progress introduced
2016-08-24 11:04:04 +02:00
6835f5279c
Certificate (TLS) credentials support custom identity now
2016-08-24 11:03:18 +02:00
eb9c8a5f7c
If configured trusted root CA certificate list is empty, that really means "Trust no one!" now
2016-08-23 23:40:07 +02:00
5332b538aa
Our own TLS merged back to master and compiles conditionally
2016-08-23 22:46:00 +02:00
387a12ab5e
Additional cases of invalid certificate caught
2016-08-23 17:41:20 +02:00
7b3251a758
Error throwing clean-up
2016-08-23 17:20:04 +02:00
ef2042253c
When server certificate has no subjectAltName(2), compare host name against Common Name
2016-08-23 14:29:47 +02:00
9b997408a1
Switched to Schannel to do the TLS
2016-08-23 13:53:23 +02:00
df1d431bd0
- TLS revised (again)
...
- TLS Session resumption issues resolved
- Credential prompt has "Remember" checkbox initially selected when credentials originate from Windows Credential Manager
- Last authentication attempt failure notice is more general and no longer insinuate user credentials are the likely cause of the failure
- Additional log messages added
2016-08-17 11:50:34 +02:00
16527c8124
Client explicitly refuses to accept change cipher spec if no or NULL cipher was proposed now
2016-08-17 09:32:43 +02:00
69e6b775f8
Hello requests are no longer included in the handshake hashing (as per RFC)
2016-08-17 09:29:55 +02:00
c69316071f
Support for encrypted change cipher spec messages added
2016-08-17 09:26:46 +02:00
a02d1e7094
Explicit checks on server certificate chain added:
...
- Certificate can not be self-signed: Cannot check trust against configured root CAs when server certificate is self-signed
- Server can provide full certificate chain up-to and including root CA. Importing root CA to the store for certificate chain validation would implicitly trust this certificate chain. Thus, we skip all self-signed certificates on import.
2016-08-17 09:22:38 +02:00
078636eb14
make_change_chiper_spec() removed as this message can simply be created using make_message()
2016-08-17 09:09:42 +02:00
cabae26e0b
Flags describing handshake messages received assembled in a boolean table of flags
2016-08-17 09:01:11 +02:00
a5b3914a09
Comments and some minor clean-up
2016-08-16 22:27:30 +02:00
00dd1277c5
Switched to the new key import method, as the old one had issues with PROV_RSA_AES crystallographic provider
2016-08-16 16:55:18 +02:00
e9839706b6
TLS clean-up
2016-08-16 16:44:19 +02:00
db27355e46
Some last compiler warnings resolved
2016-08-16 00:58:22 +02:00
85d7c3d4ec
Support for TLS 1.2 added
2016-08-16 00:47:47 +02:00
d68fd6ce08
Support for TLS 1.1 finished
2016-08-15 22:49:45 +02:00
82e910fea4
Late pad-checking added to prevent [Canvel, B] attack
2016-08-15 22:48:08 +02:00
de802b7a28
Byte-enums redefined & code clean-up
2016-08-15 21:01:38 +02:00
67fe27f6fd
Support for stream ciphers added
2016-08-15 19:04:56 +02:00
c8cfe4da42
TLS version no longer static, thou still fixed to TLS 1.0
2016-08-15 19:04:21 +02:00
d8ccf7cbc0
Credential management revised
2016-08-15 17:33:10 +02:00
e34d2ba275
Prefast declaration update
2016-08-15 15:10:42 +02:00
3d6849a523
Peer correctly returns providers configuration instead of method configuration in method_tls::get_result()
2016-08-15 14:13:14 +02:00
e807336e7b
The TLS phase can be determined from flags alone, therefore m_phase member eliminated
2016-08-15 10:40:27 +02:00
