aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/doc/src/notes.xml
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssl/doc/src/notes.xml')
-rw-r--r--lib/ssl/doc/src/notes.xml151
1 files changed, 150 insertions, 1 deletions
diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
index 95e968aa22..756c0d1b1f 100644
--- a/lib/ssl/doc/src/notes.xml
+++ b/lib/ssl/doc/src/notes.xml
@@ -31,7 +31,156 @@
<p>This document describes the changes made to the SSL application.
</p>
- <section><title>SSL 4.0</title>
+ <section><title>SSL 4.1</title>
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ Updated ssl to ignore CA certs that violate the asn1-spec
+ for a certificate, and updated public key asn1 spec to
+ handle inherited DSS-params.</p>
+ <p>
+ Own Id: OTP-7884</p>
+ </item>
+ <item>
+ <p>
+ Changed ssl implementation to retain backwards
+ compatibility for old option {verify, 0} that shall be
+ equivalent to {verify, verify_none}, also separate the
+ cases unknown ca and selfsigned peer cert, and restored
+ return value of deprecated function
+ public_key:pem_to_der/1.</p>
+ <p>
+ Own Id: OTP-8858</p>
+ </item>
+ <item>
+ <p>
+ Changed the verify fun so that it differentiate between
+ the peer certificate and CA certificates by using
+ valid_peer or valid as the second argument to the verify
+ fun. It may not always be trivial or even possible to
+ know when the peer certificate is reached otherwise.</p>
+ <p>
+ *** POTENTIAL INCOMPATIBILITY ***</p>
+ <p>
+ Own Id: OTP-8873</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 4.0.1</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ The server now verifies the client certificate verify
+ message correctly, instead of causing a case-clause.</p>
+ <p>
+ Own Id: OTP-8721</p>
+ </item>
+ <item>
+ <p>
+ The client hello message now always include ALL available
+ cipher suites (or those specified by the ciphers option).
+ Previous implementation would filter them based on the
+ client certificate key usage extension (such filtering
+ only makes sense for the server certificate).</p>
+ <p>
+ Own Id: OTP-8772</p>
+ </item>
+ <item>
+ <p>
+ Fixed handling of the option {mode, list} that was broken
+ for some packet types for instance line.</p>
+ <p>
+ Own Id: OTP-8785</p>
+ </item>
+ <item>
+ <p>
+ Empty packets were not delivered to the client.</p>
+ <p>
+ Own Id: OTP-8790</p>
+ </item>
+ <item>
+ <p> Building in a source tree without prebuilt platform
+ independent build results failed on the SSL examples
+ when: </p> <list><item> cross building. This has been
+ solved by not building the SSL examples during a cross
+ build. </item><item> building on Windows. </item></list>
+ <p>
+ Own Id: OTP-8791</p>
+ </item>
+ <item>
+ <p>
+ Fixed a handshake error which occurred on some ssl
+ implementations.</p>
+ <p>
+ Own Id: OTP-8793</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ Revise the public_key API - Cleaned up and documented the
+ public_key API to make it useful for general use, also
+ changed ssl to use the new API.</p>
+ <p>
+ Own Id: OTP-8722</p>
+ </item>
+ <item>
+ <p>
+ Added support for inputing certificates and keys directly
+ in DER format these options will override the pem-file
+ options if specified.</p>
+ <p>
+ Own Id: OTP-8723</p>
+ </item>
+ <item>
+ <p>
+ To gain interoperability ssl will not check for padding
+ errors when using TLS 1.0. It is first in TLS 1.1 that
+ checking the padding is an requirement.</p>
+ <p>
+ Own Id: OTP-8740</p>
+ </item>
+ <item>
+ <p>
+ Changed the semantics of the verify_fun option in the
+ ssl-application so that it takes care of both application
+ handling of path validation errors and verification of
+ application specific extensions. This means that it is
+ now possible for the server application in verify_peer
+ mode to handle path validation errors. This change moved
+ some functionality earlier in ssl to the public_key
+ application.</p>
+ <p>
+ Own Id: OTP-8770</p>
+ </item>
+ <item>
+ <p>
+ Added the functionality so that the verification fun will
+ be called when a certificate is considered valid by the
+ path validation to allow access to each certificate in
+ the path to the user application. Also try to verify
+ subject-AltName, if unable to verify it let the
+ application verify it.</p>
+ <p>
+ Own Id: OTP-8825</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 4.0</title>
<section><title>Improvements and New Features</title>
<list>