Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
|
|
|
|
When TLS 1.3 is used and `fail_if_no_peer_cert` (or equivalent)
is configured on the server, such as in mTLS scenarios, and
the client certificate is missing or invalid, the TLS 1.3 alert
will be sent after the handshake has completed.
The same is true for post-handshake authentication in TLS 1.3
which Erlang/OTP doesn't yet support, but will at some point in
the future.
Due to the asynchronous nature of some `ssl` socket operations,
such as sending, the alert may not always be returned from a
socket call. When the ssl socket is active we would receive
it as a message instead, so when Gun gets `{error,closed}`
it must look for the active message and see if an alert
occurred. When the ssl socket is passive we don't, so we
must query the socket for it (trying to set the socket active
at that point gets us the alert in the return value). There
is a span between handshake and the initial active mode set
where the socket is passive and may send data (the HTTP/2
preface) so we must account for both cases.
Because we sometimes have to wait for the alert as a message,
and we don't want to wait for a very long time (200ms), we
sometimes may lose the alert. Perhaps in the future this wait
time can be made configurable for users that really require
getting the alert.
The tests are only enabled on Linux because other OSes have
intermittent failures (likely due to timing).
|
|
|
|
|
|
Also fix an EvHandlerState value that mistakenly got dropped.
|
|
|
|
Otherwise garbage gets sent.
|
|
HTTP requires us to do wildcard certificate matching
so we now do it by default. That plus the previously
added `cacerts` configuration by default (using
`public_key:cacerts_get/0`) means that as far as
certificates are concerned, the default should now be
fully compliant. Users may want to keep configuring
some options such as `depth` though.
|
|
|
|
|
|
|
|
|
|
|
|
Signed-off-by: Viktor Söderqvist <[email protected]>
|
|
In order to simplify the implementation the CookieStore is
given to the connect function now, even though it's not
currently used.
|
|
If the limit has been reached, new requests are failed immediately,
so that the application can retry them on a different connection.
Co-authored-by: Björn Svensson <[email protected]>
|
|
LH: Minor tweaks.
|
|
Adds event_handler and event_handler_state in the map returned by
gun:info/1.
Signed-off-by: Viktor Söderqvist <[email protected]>
|
|
LH: I have expanded and documented gun_notify in its own page.
|
|
LH: I have fixed types, extended tests and tweaked a bit.
|
|
|
|
|
|
|
|
|
|
|
|
Depending on the environment the send buffer may not be
configured as low as we want, so the test will take longer.
|
|
* Tunneled streams can now close the stream.
* Data received on tunneled streams now result in
WINDOW_UPDATE frames being sent if necessary,
and flow control is handled.
This was detected as part of writing a new Cowboy test
suite for benchmarking Websocket, but should help other
uses too.
|
|
|
|
|
|
|
|
Some things likely changed and made it not work anymore.
Also seems that the macOS runner is now ARM64.
|
|
|
|
|
|
Since quicer, which provides the QUIC implementation,
is a NIF, Gun cannot depend directly on it. In order
to enable QUIC and HTTP/3, users have to set the
GUN_QUICER environment variable:
export GUN_QUICER=1
Gun is now tested using GitHub Actions. As a result
OTP-24+ is now required. In addition, the number
of OTP releases tested has been reduced; only the
latest of each major version is now tested.
This also updates Erlang.mk.
|
|
|
|
|
|
Also "fix" many TLS test failures due to yet more changes
in the default options for TLS.
Also small changes to make Dialyzer happy.
|
|
|
|
|
|
|
|
And ensure that we don't infinite loop when retries are
enabled, by decrementing the retry count instead of using
a new one.
Also check for ssl:negotiated_protocol {error,closed}
which was possible but was not documented in OTP before
this change.
Thanks @voluntas for the help.
|
|
|
|
|
|
|
|
|
|
|