| Age | Commit message (Collapse) | Author |
|---|
|
|
|
When TLS 1.3 is used and `fail_if_no_peer_cert` (or equivalent)
is configured on the server, such as in mTLS scenarios, and
the client certificate is missing or invalid, the TLS 1.3 alert
will be sent after the handshake has completed.
The same is true for post-handshake authentication in TLS 1.3
which Erlang/OTP doesn't yet support, but will at some point in
the future.
Due to the asynchronous nature of some `ssl` socket operations,
such as sending, the alert may not always be returned from a
socket call. When the ssl socket is active we would receive
it as a message instead, so when Gun gets `{error,closed}`
it must look for the active message and see if an alert
occurred. When the ssl socket is passive we don't, so we
must query the socket for it (trying to set the socket active
at that point gets us the alert in the return value). There
is a span between handshake and the initial active mode set
where the socket is passive and may send data (the HTTP/2
preface) so we must account for both cases.
Because we sometimes have to wait for the alert as a message,
and we don't want to wait for a very long time (200ms), we
sometimes may lose the alert. Perhaps in the future this wait
time can be made configurable for users that really require
getting the alert.
The tests are only enabled on Linux because other OSes have
intermittent failures (likely due to timing).
|
|
|
|
Also fix an EvHandlerState value that mistakenly got dropped.
|
|
Otherwise garbage gets sent.
|
|
HTTP requires us to do wildcard certificate matching
so we now do it by default. That plus the previously
added `cacerts` configuration by default (using
`public_key:cacerts_get/0`) means that as far as
certificates are concerned, the default should now be
fully compliant. Users may want to keep configuring
some options such as `depth` though.
|
|
|
|
|
|
|
|
|
|
Signed-off-by: Viktor Söderqvist <[email protected]>
|
|
In order to simplify the implementation the CookieStore is
given to the connect function now, even though it's not
currently used.
|
|
If the limit has been reached, new requests are failed immediately,
so that the application can retry them on a different connection.
Co-authored-by: Björn Svensson <[email protected]>
|
|
LH: Minor tweaks.
|
|
Adds event_handler and event_handler_state in the map returned by
gun:info/1.
Signed-off-by: Viktor Söderqvist <[email protected]>
|
|
LH: I have fixed types, extended tests and tweaked a bit.
|
|
|
|
|
|
* Tunneled streams can now close the stream.
* Data received on tunneled streams now result in
WINDOW_UPDATE frames being sent if necessary,
and flow control is handled.
This was detected as part of writing a new Cowboy test
suite for benchmarking Websocket, but should help other
uses too.
|
|
|
|
Since quicer, which provides the QUIC implementation,
is a NIF, Gun cannot depend directly on it. In order
to enable QUIC and HTTP/3, users have to set the
GUN_QUICER environment variable:
export GUN_QUICER=1
Gun is now tested using GitHub Actions. As a result
OTP-24+ is now required. In addition, the number
of OTP releases tested has been reduced; only the
latest of each major version is now tested.
This also updates Erlang.mk.
|
|
Also "fix" many TLS test failures due to yet more changes
in the default options for TLS.
Also small changes to make Dialyzer happy.
|
|
|
|
|
|
And ensure that we don't infinite loop when retries are
enabled, by decrementing the retry count instead of using
a new one.
Also check for ssl:negotiated_protocol {error,closed}
which was possible but was not documented in OTP before
this change.
Thanks @voluntas for the help.
|
|
|
|
|
|
This is to avoid reconnecting forever in a loop on bad
configuration (such as IP in a different subnet).
|
|
The number of unacknowledged pings that can be tolerated
before the connection is forcefully closed.
When a keepalive ping is sent to the peer, a counter is
incremented and if this counter exceeds the tolerance limit,
the connection is forcefully closed. The counter is
decremented whenever a ping ack is received from the peer.
By default, the mechanism for closing the connection based
on ping and ping ack is disabled.
Loïc Hoguin: I have edited a lot of the code and renamed
a few things as well as simplified the docs and increased
test timeouts to avoid race conditions.
|
|
|
|
We leave the pool in a degraded state if the configuration
given is invalid and a lookup/connect can't be made.
|
|
|
|
When no TCP options are provided, Gun will enable send
timeouts at 15s. The value was chosen large enough to
be safe while still allowing Gun to detect send errors
eventually. Different applications may need to tweak
and lower this value.
|
|
Loïc: I have reworded a couple things and reordered the tests.
It would be great to also test these things over proxies.
|
|
|
|
|
|
|
|
|
|
The following functions used to return a state, but now
return {state, State} or {error, Reason}:
* frame/5
* update_window/1,2
* maybe_ack_or_notify/2
* reset_stream/3
* push_promise_frame/7
* goaway/2
* maybe_send_data/6
* send_data/4
* send_data/6
* send_data_frame/4
Dialyzer will temporarily fail until functions start to
return error tuples.
|
|
|
|
|
|
The http-state tests were removed and replaced with
tests in HTML pages. I have devised a way to semi-
automatically import them and test them.
Additional fixes were made following changes in
the rfc6265bis draft.
|
|
|
|
This is a preparation for allowing init/4 to return an ok or an
error tuple.
|
|
Amended to make the test case hit the problem.
|
|
|
|
|
|
|
|
This will make it more obvious what callbacks return.
|
|
|
