diff options
author | Erlang/OTP <[email protected]> | 2013-08-21 12:54:38 +0200 |
---|---|---|
committer | Erlang/OTP <[email protected]> | 2013-08-21 12:54:38 +0200 |
commit | b6b47d4c18c88380ea104aab57e13363c7b24a51 (patch) | |
tree | 7083aba98b243d6a1cd6aa279da737295f4f22bf | |
parent | a21db4078a7b5f23b665dc2d466541b394936cb8 (diff) | |
parent | 2ab0f356a00f42060d0f4ca9c4225644e2d9052e (diff) | |
download | otp-b6b47d4c18c88380ea104aab57e13363c7b24a51.tar.gz otp-b6b47d4c18c88380ea104aab57e13363c7b24a51.tar.bz2 otp-b6b47d4c18c88380ea104aab57e13363c7b24a51.zip |
Merge branch 'fredrik/inets/ssl/fixup_log_alert_option/OTP-11259' into maint-r15
* fredrik/inets/ssl/fixup_log_alert_option/OTP-11259:
[inets, ssl]: make log_alert configurable as option in ssl, SSLLogLevel added as option to inets conf file
-rw-r--r-- | lib/inets/src/http_lib/http_transport.erl | 18 | ||||
-rw-r--r-- | lib/inets/src/http_server/httpd_conf.erl | 18 | ||||
-rw-r--r-- | lib/inets/src/http_server/httpd_request_handler.erl | 2 | ||||
-rw-r--r-- | lib/inets/src/inets_app/inets.appup.src | 10 | ||||
-rw-r--r-- | lib/inets/vsn.mk | 2 | ||||
-rw-r--r-- | lib/ssl/src/ssl.appup.src | 10 | ||||
-rw-r--r-- | lib/ssl/src/ssl.erl | 8 | ||||
-rw-r--r-- | lib/ssl/src/ssl_connection.erl | 25 | ||||
-rw-r--r-- | lib/ssl/src/ssl_internal.hrl | 3 | ||||
-rw-r--r-- | lib/ssl/vsn.mk | 2 |
10 files changed, 71 insertions, 27 deletions
diff --git a/lib/inets/src/http_lib/http_transport.erl b/lib/inets/src/http_lib/http_transport.erl index 5eb827032f..8b103628d7 100644 --- a/lib/inets/src/http_lib/http_transport.erl +++ b/lib/inets/src/http_lib/http_transport.erl @@ -174,7 +174,13 @@ listen({essl, SSLConfig}, Addr, Port) -> [{addr, Addr}, {port, Port}, {ssl_config, SSLConfig}]), - listen_ssl(Addr, Port, [{ssl_imp, new}, {reuseaddr, true} | SSLConfig]). + {SSLConfig2, ExtraOpts} = case proplists:get_value(log_alert, SSLConfig, undefined) of + undefined -> + {SSLConfig, []}; + LogAlert -> + {proplists:delete(log_alert, SSLConfig), [{log_alert, LogAlert}]} + end, + listen_ssl(Addr, Port, [{ssl_imp, new}, {reuseaddr, true} | SSLConfig2], ExtraOpts). listen(ip_comm, Addr, Port, Fd) -> @@ -222,24 +228,24 @@ do_listen_ip_comm(Addr, Port, Fd) -> end. -listen_ssl(Addr, Port, Opts0) -> +listen_ssl(Addr, Port, Opts0, ExtraOpts) -> IpFamily = ipfamily_default(Addr, Port), BaseOpts = [{backlog, 128}, {reuseaddr, true} | Opts0], Opts = sock_opts(Addr, BaseOpts), case IpFamily of inet6fb4 -> - Opts2 = [inet6 | Opts], + Opts2 = [inet6 | Opts] ++ ExtraOpts, ?hlrt("try ipv6 listen", [{opts, Opts2}]), case (catch ssl:listen(Port, Opts2)) of {error, Reason} when ((Reason =:= nxdomain) orelse (Reason =:= eafnosupport)) -> - Opts3 = [inet | Opts], + Opts3 = [inet | Opts] ++ ExtraOpts, ?hlrt("ipv6 listen failed - try ipv4 instead", [{reason, Reason}, {opts, Opts3}]), ssl:listen(Port, Opts3); {'EXIT', Reason} -> - Opts3 = [inet | Opts], + Opts3 = [inet | Opts] ++ ExtraOpts, ?hlrt("ipv6 listen exit - try ipv4 instead", [{reason, Reason}, {opts, Opts3}]), ssl:listen(Port, Opts3); @@ -252,7 +258,7 @@ listen_ssl(Addr, Port, Opts0) -> _ -> Opts2 = [IpFamily | Opts], ?hlrt("listen", [{opts, Opts2}]), - ssl:listen(Port, Opts2) + ssl:listen(Port, Opts2 ++ ExtraOpts) end. diff --git a/lib/inets/src/http_server/httpd_conf.erl b/lib/inets/src/http_server/httpd_conf.erl index 884e3defb8..190967f656 100644 --- a/lib/inets/src/http_server/httpd_conf.erl +++ b/lib/inets/src/http_server/httpd_conf.erl @@ -390,6 +390,13 @@ load("SSLCertificateFile " ++ SSLCertificateFile, []) -> {error, ?NICE(clean(SSLCertificateFile)++ " is an invalid SSLCertificateFile")} end; +load("SSLLogLevel " ++ SSLLogAlert, []) -> + case SSLLogAlert of + "none" -> + {ok, [], {ssl_log_alert, false}}; + _ -> + {ok, [], {ssl_log_alert, true}} + end; load("SSLCertificateKeyFile " ++ SSLCertificateKeyFile, []) -> case is_file(clean(SSLCertificateKeyFile)) of {ok, File} -> @@ -942,7 +949,8 @@ ssl_config(ConfigDB) -> ssl_ciphers(ConfigDB) ++ ssl_password(ConfigDB) ++ ssl_verify_depth(ConfigDB) ++ - ssl_ca_certificate_file(ConfigDB). + ssl_ca_certificate_file(ConfigDB) ++ + ssl_log_level(ConfigDB). @@ -1208,6 +1216,14 @@ ssl_certificate_key_file(ConfigDB) -> [{keyfile,SSLCertificateKeyFile}] end. +ssl_log_level(ConfigDB) -> + case httpd_util:lookup(ConfigDB,ssl_log_alert) of + undefined -> + []; + SSLLogLevel -> + [{log_alert,SSLLogLevel}] + end. + ssl_verify_client(ConfigDB) -> case httpd_util:lookup(ConfigDB,ssl_verify_client) of undefined -> diff --git a/lib/inets/src/http_server/httpd_request_handler.erl b/lib/inets/src/http_server/httpd_request_handler.erl index 0f47d785ef..cb20159794 100644 --- a/lib/inets/src/http_server/httpd_request_handler.erl +++ b/lib/inets/src/http_server/httpd_request_handler.erl @@ -106,7 +106,7 @@ init([Manager, ConfigDB, AcceptTimeout]) -> case http_transport:negotiate(SocketType, Socket, TimeOut) of {error, Error} -> ?hdrd("negotiation failed", [{error, Error}]), - exit(Error); %% Can be 'normal'. + exit(shutdown); %% Can be 'normal'. ok -> ?hdrt("negotiation successfull", []), NewTimeout = TimeOut - timer:now_diff(now(),Then) div 1000, diff --git a/lib/inets/src/inets_app/inets.appup.src b/lib/inets/src/inets_app/inets.appup.src index 2995a2f712..3e005379bb 100644 --- a/lib/inets/src/inets_app/inets.appup.src +++ b/lib/inets/src/inets_app/inets.appup.src @@ -18,6 +18,11 @@ {"%VSN%", [ + {"5.9.2.1", + [ + {restart_application, inets} + ] + }, {"5.9.2", [ {load_module, httpd_manager, soft_purge, soft_purge, []} @@ -76,6 +81,11 @@ } ], [ + {"5.9.2.1", + [ + {restart_application, inets} + ] + }, {"5.9.2", [ {load_module, httpd_manager, soft_purge, soft_purge, []} diff --git a/lib/inets/vsn.mk b/lib/inets/vsn.mk index 525d3847e6..4aa5de8f1a 100644 --- a/lib/inets/vsn.mk +++ b/lib/inets/vsn.mk @@ -18,7 +18,7 @@ # %CopyrightEnd% APPLICATION = inets -INETS_VSN = 5.9.2.1 +INETS_VSN = 5.9.2.2 PRE_VSN = APP_VSN = "$(APPLICATION)-$(INETS_VSN)$(PRE_VSN)" diff --git a/lib/ssl/src/ssl.appup.src b/lib/ssl/src/ssl.appup.src index 9b1227fa7f..664f588003 100644 --- a/lib/ssl/src/ssl.appup.src +++ b/lib/ssl/src/ssl.appup.src @@ -1,6 +1,11 @@ %% -*- erlang -*- {"%VSN%", [ + {"5.1.2", + [ + {restart_application, inets} + ] + }, {"5.1.1", [{restart_application, ssl}] }, {"5.1", [ @@ -12,6 +17,11 @@ {<<"3\\.*">>, [{restart_application, ssl}]} ], [ + {"5.1.2", + [ + {restart_application, inets} + ] + }, {"5.1.1", [{restart_application, ssl}] }, {"5.1", [ diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index 66ceb2a591..b52470b988 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -596,7 +596,8 @@ handle_options(Opts0, _Role) -> renegotiate_at = handle_option(renegotiate_at, Opts, ?DEFAULT_RENEGOTIATE_AT), debug = handle_option(debug, Opts, []), hibernate_after = handle_option(hibernate_after, Opts, undefined), - erl_dist = handle_option(erl_dist, Opts, false) + erl_dist = handle_option(erl_dist, Opts, false), + log_alert = handle_option(log_alert, Opts, true) }, CbInfo = proplists:get_value(cb_info, Opts, {gen_tcp, tcp, tcp_closed, tcp_error}), @@ -605,7 +606,7 @@ handle_options(Opts0, _Role) -> depth, cert, certfile, key, keyfile, password, cacerts, cacertfile, dh, dhfile, ciphers, debug, reuse_session, reuse_sessions, ssl_imp, - cb_info, renegotiate_at, secure_renegotiate, hibernate_after, erl_dist], + cb_info, renegotiate_at, secure_renegotiate, hibernate_after, erl_dist, log_alert], SockOpts = lists:foldl(fun(Key, PropList) -> proplists:delete(Key, PropList) @@ -733,6 +734,9 @@ validate_option(hibernate_after, Value) when is_integer(Value), Value >= 0 -> validate_option(erl_dist,Value) when Value == true; Value == false -> Value; +validate_option(log_alert,Value) when Value == true; + Value == false -> + Value; validate_option(Opt, Value) -> throw({error, {eoptions, {Opt, Value}}}). diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl index d4784604fd..73857bccbb 100644 --- a/lib/ssl/src/ssl_connection.erl +++ b/lib/ssl/src/ssl_connection.erl @@ -87,7 +87,6 @@ cert_db_ref, % ref() bytes_to_read, % integer(), # bytes to read in passive mode user_data_buffer, % binary() - log_alert, % boolean() renegotiation, % {boolean(), From | internal | peer} start_or_recv_from, % "gen_fsm From" timer, % start_or_recv_timer @@ -2123,7 +2122,6 @@ initial_state(Role, Host, Port, Socket, {SSLOptions, SocketOptions}, User, tls_cipher_texts = [], user_application = {Monitor, User}, user_data_buffer = <<>>, - log_alert = true, session_cache_cb = SessionCacheCb, renegotiation = {false, first}, start_or_recv_from = undefined, @@ -2230,11 +2228,10 @@ handle_alerts([Alert | Alerts], {next_state, StateName, State, _Timeout}) -> handle_alerts(Alerts, handle_alert(Alert, StateName, State)). handle_alert(#alert{level = ?FATAL} = Alert, StateName, - #state{start_or_recv_from = From, host = Host, port = Port, session = Session, - user_application = {_Mon, Pid}, - log_alert = Log, role = Role, socket_options = Opts} = State) -> + #state{ssl_options = SslOpts, start_or_recv_from = From, host = Host, port = Port, session = Session, + user_application = {_Mon, Pid}, role = Role, socket_options = Opts} = State) -> invalidate_session(Role, Host, Port, Session), - log_alert(Log, StateName, Alert), + log_alert(SslOpts#ssl_options.log_alert, StateName, Alert), alert_user(StateName, Opts, Pid, From, Alert, Role), {stop, normal, State}; @@ -2244,21 +2241,21 @@ handle_alert(#alert{level = ?WARNING, description = ?CLOSE_NOTIFY} = Alert, {stop, {shutdown, peer_close}, State}; handle_alert(#alert{level = ?WARNING, description = ?NO_RENEGOTIATION} = Alert, StateName, - #state{log_alert = Log, renegotiation = {true, internal}} = State) -> - log_alert(Log, StateName, Alert), + #state{ssl_options = SslOpts, renegotiation = {true, internal}} = State) -> + log_alert(SslOpts#ssl_options.log_alert, StateName, Alert), handle_normal_shutdown(Alert, StateName, State), {stop, {shutdown, peer_close}, State}; handle_alert(#alert{level = ?WARNING, description = ?NO_RENEGOTIATION} = Alert, StateName, - #state{log_alert = Log, renegotiation = {true, From}} = State0) -> - log_alert(Log, StateName, Alert), + #state{ssl_options = SslOpts, renegotiation = {true, From}} = State0) -> + log_alert(SslOpts#ssl_options.log_alert, StateName, Alert), gen_fsm:reply(From, {error, renegotiation_rejected}), {Record, State} = next_record(State0), next_state(StateName, connection, Record, State); handle_alert(#alert{level = ?WARNING, description = ?USER_CANCELED} = Alert, StateName, - #state{log_alert = Log} = State0) -> - log_alert(Log, StateName, Alert), + #state{ssl_options = SslOpts} = State0) -> + log_alert(SslOpts#ssl_options.log_alert, StateName, Alert), {Record, State} = next_record(State0), next_state(StateName, StateName, Record, State). @@ -2296,7 +2293,7 @@ handle_own_alert(Alert, Version, StateName, #state{transport_cb = Transport, socket = Socket, connection_states = ConnectionStates, - log_alert = Log} = State) -> + ssl_options = SslOpts} = State) -> try %% Try to tell the other side {BinMsg, _} = encode_alert(Alert, Version, ConnectionStates), @@ -2306,7 +2303,7 @@ handle_own_alert(Alert, Version, StateName, ignore end, try %% Try to tell the local user - log_alert(Log, StateName, Alert), + log_alert(SslOpts#ssl_options.log_alert, StateName, Alert), handle_normal_shutdown(Alert,StateName, State) catch _:_ -> ok diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl index b8f2ae3b51..d8815369e9 100644 --- a/lib/ssl/src/ssl_internal.hrl +++ b/lib/ssl/src/ssl_internal.hrl @@ -106,7 +106,8 @@ % after which ssl_connection will % go into hibernation %% This option should only be set to true by inet_tls_dist - erl_dist = false + erl_dist = false, + log_alert }). -record(socket_options, diff --git a/lib/ssl/vsn.mk b/lib/ssl/vsn.mk index adfb29e639..84728fd311 100644 --- a/lib/ssl/vsn.mk +++ b/lib/ssl/vsn.mk @@ -1 +1 @@ -SSL_VSN = 5.1.2 +SSL_VSN = 5.1.2.1 |