aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/doc/src/notes.xml
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssl/doc/src/notes.xml')
-rw-r--r--lib/ssl/doc/src/notes.xml450
1 files changed, 449 insertions, 1 deletions
diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
index 61d1c8355a..c7f50777a8 100644
--- a/lib/ssl/doc/src/notes.xml
+++ b/lib/ssl/doc/src/notes.xml
@@ -4,7 +4,7 @@
<chapter>
<header>
<copyright>
- <year>1999</year><year>2013</year>
+ <year>1999</year><year>2016</year>
<holder>Ericsson AB. All Rights Reserved.</holder>
</copyright>
<legalnotice>
@@ -28,6 +28,454 @@
<p>This document describes the changes made to the SSL application.</p>
+<section><title>SSL 8.0.3</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ A timing related bug in event handling could cause
+ interoperability problems between an erlang TLS server
+ and some TLS clients, especially noticed with Firefox as
+ TLS client.</p>
+ <p>
+ Own Id: OTP-13917</p>
+ </item>
+ <item>
+ <p>
+ Correct ECC curve selection, the error could cause the
+ default to always be selected.</p>
+ <p>
+ Own Id: OTP-13918</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 8.0.2</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Correctly formed handshake messages received out of order
+ will now correctly fail the connection with unexpected
+ message.</p>
+ <p>
+ Own Id: OTP-13853</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ ssl application now behaves gracefully also on partially
+ incorrect input from peer.</p>
+ <p>
+ Own Id: OTP-13834</p>
+ </item>
+ <item>
+ <p>
+ Add application environment configuration
+ bypass_pem_cache. This can be used as a workaround for
+ the current implementation of the PEM-cache that has
+ proven to be a bottleneck.</p>
+ <p>
+ Own Id: OTP-13883</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 8.0.1</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ The TLS/SSL protocol version selection for the SSL server
+ has been corrected to follow RFC 5246 Appendix E.1
+ especially in case where the list of supported versions
+ has gaps. Now the server selects the highest protocol
+ version it supports that is not higher than what the
+ client supports.</p>
+ <p>
+ Own Id: OTP-13753 Aux Id: seq13150 </p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 8.0</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Server now rejects, a not requested client cert, as an
+ incorrect handshake message and ends the connection.</p>
+ <p>
+ Own Id: OTP-13651</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ Remove default support for DES cipher suites</p>
+ <p>
+ *** POTENTIAL INCOMPATIBILITY ***</p>
+ <p>
+ Own Id: OTP-13195</p>
+ </item>
+ <item>
+ <p>
+ Deprecate the function <c>crypto:rand_bytes</c> and make
+ sure that <c>crypto:strong_rand_bytes</c> is used in all
+ places that are cryptographically significant.</p>
+ <p>
+ Own Id: OTP-13214</p>
+ </item>
+ <item>
+ <p>
+ Better error handling of user error during TLS upgrade.
+ ERL-69 is solved by gen_statem rewrite of ssl
+ application.</p>
+ <p>
+ Own Id: OTP-13255</p>
+ </item>
+ <item>
+ <p>
+ Provide user friendly error message when crypto rejects a
+ key</p>
+ <p>
+ Own Id: OTP-13256</p>
+ </item>
+ <item>
+ <p>
+ Add ssl:getstat/1 and ssl:getstat/2</p>
+ <p>
+ Own Id: OTP-13415</p>
+ </item>
+ <item>
+ <p>
+ TLS distribution connections now allow specifying the
+ options <c>verify_fun</c>, <c>crl_check</c> and
+ <c>crl_cache</c>. See the documentation. GitHub pull req
+ #956 contributed by Magnus Henoch.</p>
+ <p>
+ Own Id: OTP-13429 Aux Id: Pull#956 </p>
+ </item>
+ <item>
+ <p>
+ Remove confusing error message when closing a distributed
+ erlang node running over TLS</p>
+ <p>
+ Own Id: OTP-13431</p>
+ </item>
+ <item>
+ <p>
+ Remove default support for use of md5 in TLS 1.2
+ signature algorithms</p>
+ <p>
+ Own Id: OTP-13463</p>
+ </item>
+ <item>
+ <p>
+ ssl now uses gen_statem instead of gen_fsm to implement
+ the ssl connection process, this solves some timing
+ issues in addition to making the code more intuitive as
+ the behaviour can be used cleanly instead of having a lot
+ of workaround for shortcomings of the behaviour.</p>
+ <p>
+ Own Id: OTP-13464</p>
+ </item>
+ <item>
+ <p>
+ Phase out interoperability with clients that offer SSLv2.
+ By default they are no longer supported, but an option to
+ provide interoperability is offered.</p>
+ <p>
+ *** POTENTIAL INCOMPATIBILITY ***</p>
+ <p>
+ Own Id: OTP-13465</p>
+ </item>
+ <item>
+ <p>
+ OpenSSL has functions to generate short (eight hex
+ digits) hashes of issuers of certificates and CRLs. These
+ hashes are used by the "c_rehash" script to populate
+ directories of CA certificates and CRLs, e.g. in the
+ Apache web server. Add functionality to let an Erlang
+ program find the right CRL for a given certificate in
+ such a directory.</p>
+ <p>
+ Own Id: OTP-13530</p>
+ </item>
+ <item>
+ <p>
+ Some legacy TLS 1.0 software does not tolerate the 1/n-1
+ content split BEAST mitigation technique. Add a
+ beast_mitigation SSL option (defaulting to
+ one_n_minus_one) to select or disable the BEAST
+ mitigation technique.</p>
+ <p>
+ Own Id: OTP-13629</p>
+ </item>
+ <item>
+ <p>
+ Enhance error log messages to facilitate for users to
+ understand the error</p>
+ <p>
+ Own Id: OTP-13632</p>
+ </item>
+ <item>
+ <p>
+ Increased default DH params to 2048-bit</p>
+ <p>
+ Own Id: OTP-13636</p>
+ </item>
+ <item>
+ <p>
+ Propagate CRL unknown CA error so that public_key
+ validation process continues correctly and determines
+ what should happen.</p>
+ <p>
+ Own Id: OTP-13656</p>
+ </item>
+ <item>
+ <p>
+ Introduce a flight concept for handshake packages. This
+ is a preparation for enabling DTLS, however it can also
+ have a positive effects for TLS on slow and unreliable
+ networks.</p>
+ <p>
+ Own Id: OTP-13678</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 7.3.3</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Correct ssl:prf/5 to use the negotiated cipher suite's
+ prf function in ssl:prf/5 instead of the default prf.</p>
+ <p>
+ Own Id: OTP-13546</p>
+ </item>
+ <item>
+ <p>
+ Timeouts may have the value 0, guards have been corrected
+ to allow this</p>
+ <p>
+ Own Id: OTP-13635</p>
+ </item>
+ <item>
+ <p>
+ Change of internal handling of hash sign pairs as the
+ used one enforced to much restrictions making some valid
+ combinations unavailable.</p>
+ <p>
+ Own Id: OTP-13670</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ Create a little randomness in sending of session
+ invalidation messages, to mitigate load when whole table
+ is invalidated.</p>
+ <p>
+ Own Id: OTP-13490</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 7.3.2</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Correct cipher suites conversion and gaurd expression.
+ Caused problems with GCM cipher suites and client side
+ option to set signature_algorithms extention values.</p>
+ <p>
+ Own Id: OTP-13525</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 7.3.1</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Corrections to cipher suite handling using the 3 and 4
+ tuple format in addition to commit
+ 89d7e21cf4ae988c57c8ef047bfe85127875c70c</p>
+ <p>
+ Own Id: OTP-13511</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ Make values for the TLS-1.2 signature_algorithms
+ extension configurable</p>
+ <p>
+ Own Id: OTP-13261</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 7.3</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Make sure there is only one poller validator at a time
+ for validating the session cache.</p>
+ <p>
+ Own Id: OTP-13185</p>
+ </item>
+ <item>
+ <p>
+ A timing related issue could cause ssl to hang,
+ especially happened with newer versions of OpenSSL in
+ combination with ECC ciphers.</p>
+ <p>
+ Own Id: OTP-13253</p>
+ </item>
+ <item>
+ <p>
+ Work around a race condition in the TLS distribution
+ start.</p>
+ <p>
+ Own Id: OTP-13268</p>
+ </item>
+ <item>
+ <p>
+ Big handshake messages are now correctly fragmented in
+ the TLS record layer.</p>
+ <p>
+ Own Id: OTP-13306</p>
+ </item>
+ <item>
+ <p>
+ Improve portability of ECC tests in Crypto and SSL for
+ "exotic" OpenSSL versions.</p>
+ <p>
+ Own Id: OTP-13311</p>
+ </item>
+ <item>
+ <p>
+ Certificate extensions marked as critical are ignored
+ when using verify_none</p>
+ <p>
+ Own Id: OTP-13377</p>
+ </item>
+ <item>
+ <p>
+ If a certificate doesn't contain a CRL Distribution
+ Points extension, and the relevant CRL is not in the
+ cache, and the <c>crl_check</c> option is not set to
+ <c>best_effort</c> , the revocation check should fail.</p>
+ <p>
+ Own Id: OTP-13378</p>
+ </item>
+ <item>
+ <p>
+ Enable TLS distribution over IPv6</p>
+ <p>
+ Own Id: OTP-13391</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ Improve error reporting for TLS distribution</p>
+ <p>
+ Own Id: OTP-13219</p>
+ </item>
+ <item>
+ <p>
+ Include options from connect, listen and accept in
+ <c>connection_information/1,2</c></p>
+ <p>
+ Own Id: OTP-13232</p>
+ </item>
+ <item>
+ <p>
+ Allow adding extra options for outgoing TLS distribution
+ connections, as supported for plain TCP connections.</p>
+ <p>
+ Own Id: OTP-13285</p>
+ </item>
+ <item>
+ <p>
+ Use loopback as server option in TLS-distribution module</p>
+ <p>
+ Own Id: OTP-13300</p>
+ </item>
+ <item>
+ <p>
+ Verify certificate signature against original certificate
+ binary.</p>
+ <p>
+ This avoids bugs due to encoding errors when re-encoding
+ a decode certificate. As there exists several decode step
+ and using of different ASN.1 specification this is a risk
+ worth avoiding.</p>
+ <p>
+ Own Id: OTP-13334</p>
+ </item>
+ <item>
+ <p>
+ Use <c>application:ensure_all_started/2</c> instead of
+ hard-coding dependencies</p>
+ <p>
+ Own Id: OTP-13363</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
<section><title>SSL 7.2</title>
<section><title>Fixed Bugs and Malfunctions</title>
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-04 00:48:01 +0000