diff options
| author | Ingela Anderton Andin <[email protected]> | 2016-04-06 11:39:35 +0200 |
|---|---|---|
| committer | Ingela Anderton Andin <[email protected]> | 2016-04-06 11:39:35 +0200 |
| commit | 57fcf2334c04352af3ce2c09a370fe9a04b073e9 (patch) | |
| tree | 148546f7c0feab9b082240adf781c965fd7603c2 /lib/ssl/src/ssl.erl | |
| parent | 30b22c1a3835fa411733763c49c65f2e2abb1640 (diff) | |
| parent | 9a834cff78e3f4e33b561304c83de717019f5a4d (diff) | |
| download | otp-57fcf2334c04352af3ce2c09a370fe9a04b073e9.tar.gz otp-57fcf2334c04352af3ce2c09a370fe9a04b073e9.tar.bz2 otp-57fcf2334c04352af3ce2c09a370fe9a04b073e9.zip | |
Merge branch 'ingela/ssl/config-signature-algs/OTP-13463'
* ingela/ssl/config-signature-algs/OTP-13463:
ssl: Remove default support for use of md5 in TLS 1.2 signature algorithms
ssl: Add option signature_algs
Diffstat (limited to 'lib/ssl/src/ssl.erl')
| -rw-r--r-- | lib/ssl/src/ssl.erl | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index 780bef5877..9045f8fef9 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -700,6 +700,10 @@ handle_options(Opts0, Role) -> srp_identity = handle_option(srp_identity, Opts, undefined), ciphers = handle_cipher_option(proplists:get_value(ciphers, Opts, []), RecordCb:highest_protocol_version(Versions)), + signature_algs = handle_hashsigns_option(proplists:get_value(signature_algs, Opts, + default_option_role(server, + tls_v1:default_signature_algs(Versions), Role)), + RecordCb:highest_protocol_version(Versions)), %% Server side option reuse_session = handle_option(reuse_session, Opts, ReuseSessionFun), reuse_sessions = handle_option(reuse_sessions, Opts, true), @@ -749,7 +753,7 @@ handle_options(Opts0, Role) -> alpn_preferred_protocols, next_protocols_advertised, client_preferred_next_protocols, log_alert, server_name_indication, honor_cipher_order, padding_check, crl_check, crl_cache, - fallback], + fallback, signature_algs], SockOpts = lists:foldl(fun(Key, PropList) -> proplists:delete(Key, PropList) @@ -989,6 +993,18 @@ validate_option(crl_cache, {Cb, {_Handle, Options}} = Value) when is_atom(Cb) an validate_option(Opt, Value) -> throw({error, {options, {Opt, Value}}}). +handle_hashsigns_option(Value, {Major, Minor} = Version) when is_list(Value) + andalso Major >= 3 andalso Minor >= 3-> + case tls_v1:signature_algs(Version, Value) of + [] -> + throw({error, {options, no_supported_algorithms, {signature_algs, Value}}}); + _ -> + Value + end; +handle_hashsigns_option(_, {Major, Minor} = Version) when Major >= 3 andalso Minor >= 3-> + handle_hashsigns_option(tls_v1:default_signature_algs(Version), Version); +handle_hashsigns_option(_, _Version) -> + undefined. validate_options([]) -> []; @@ -1285,6 +1301,13 @@ new_ssl_options([{server_name_indication, Value} | Rest], #ssl_options{} = Opts, new_ssl_options(Rest, Opts#ssl_options{server_name_indication = validate_option(server_name_indication, Value)}, RecordCB); new_ssl_options([{honor_cipher_order, Value} | Rest], #ssl_options{} = Opts, RecordCB) -> new_ssl_options(Rest, Opts#ssl_options{honor_cipher_order = validate_option(honor_cipher_order, Value)}, RecordCB); +new_ssl_options([{signature_algs, Value} | Rest], #ssl_options{} = Opts, RecordCB) -> + new_ssl_options(Rest, + Opts#ssl_options{signature_algs = + handle_hashsigns_option(Value, + RecordCB:highest_protocol_version())}, + RecordCB); + new_ssl_options([{Key, Value} | _Rest], #ssl_options{}, _) -> throw({error, {options, {Key, Value}}}). |