aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/doc/src/notes.xml
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssl/doc/src/notes.xml')
-rw-r--r--lib/ssl/doc/src/notes.xml373
1 files changed, 372 insertions, 1 deletions
diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
index 5b0b5ead20..d13ad09470 100644
--- a/lib/ssl/doc/src/notes.xml
+++ b/lib/ssl/doc/src/notes.xml
@@ -4,7 +4,7 @@
<chapter>
<header>
<copyright>
- <year>1999</year><year>2013</year>
+ <year>1999</year><year>2016</year>
<holder>Ericsson AB. All Rights Reserved.</holder>
</copyright>
<legalnotice>
@@ -28,6 +28,377 @@
<p>This document describes the changes made to the SSL application.</p>
+<section><title>SSL 8.1.3</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Remove debug printout</p>
+ <p>
+ Own Id: OTP-14396</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 8.1.2</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Correct active once emulation, for TLS. Now all data
+ received by the connection process will be delivered
+ through active once, even when the active once arrives
+ after that the gen_tcp socket is closed by the peer.</p>
+ <p>
+ Own Id: OTP-14300</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 8.1.1</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Corrected termination behavior, that caused a PEM cache
+ bug and sometimes resulted in connection failures.</p>
+ <p>
+ Own Id: OTP-14100</p>
+ </item>
+ <item>
+ <p>
+ Fix bug that could hang ssl connection processes when
+ failing to require more data for very large handshake
+ packages. Add option max_handshake_size to mitigate DoS
+ attacks.</p>
+ <p>
+ Own Id: OTP-14138</p>
+ </item>
+ <item>
+ <p>
+ Improved support for CRL handling that could fail to work
+ as intended when an id-ce-extKeyUsage was present in the
+ certificate. Also improvements where needed to
+ distributionpoint handling so that all revocations
+ actually are found and not deemed to be not determinable.</p>
+ <p>
+ Own Id: OTP-14141</p>
+ </item>
+ <item>
+ <p>
+ A TLS handshake might accidentally match old sslv2 format
+ and ssl application would incorrectly aborted TLS
+ handshake with ssl_v2_client_hello_no_supported. Parsing
+ was altered to avoid this problem.</p>
+ <p>
+ Own Id: OTP-14222</p>
+ </item>
+ <item>
+ <p>
+ Correct default cipher list to prefer AES 128 before 3DES</p>
+ <p>
+ Own Id: OTP-14235</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ Move PEM cache to a dedicated process, to avoid making
+ the SSL manager process a bottleneck. This improves
+ scalability of TLS connections.</p>
+ <p>
+ Own Id: OTP-13874</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 8.1</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ List of possible anonymous suites, never supported by
+ default, where incorrect for some TLS versions.</p>
+ <p>
+ Own Id: OTP-13926</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ Experimental version of DTLS. It is runnable but not
+ complete and cannot be considered reliable for production
+ usage.</p>
+ <p>
+ Own Id: OTP-12982</p>
+ </item>
+ <item>
+ <p>
+ Add API options to handle ECC curve selection.</p>
+ <p>
+ Own Id: OTP-13959</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 8.0.3</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ A timing related bug in event handling could cause
+ interoperability problems between an erlang TLS server
+ and some TLS clients, especially noticed with Firefox as
+ TLS client.</p>
+ <p>
+ Own Id: OTP-13917</p>
+ </item>
+ <item>
+ <p>
+ Correct ECC curve selection, the error could cause the
+ default to always be selected.</p>
+ <p>
+ Own Id: OTP-13918</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 8.0.2</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Correctly formed handshake messages received out of order
+ will now correctly fail the connection with unexpected
+ message.</p>
+ <p>
+ Own Id: OTP-13853</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ ssl application now behaves gracefully also on partially
+ incorrect input from peer.</p>
+ <p>
+ Own Id: OTP-13834</p>
+ </item>
+ <item>
+ <p>
+ Add application environment configuration
+ bypass_pem_cache. This can be used as a workaround for
+ the current implementation of the PEM-cache that has
+ proven to be a bottleneck.</p>
+ <p>
+ Own Id: OTP-13883</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 8.0.1</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ The TLS/SSL protocol version selection for the SSL server
+ has been corrected to follow RFC 5246 Appendix E.1
+ especially in case where the list of supported versions
+ has gaps. Now the server selects the highest protocol
+ version it supports that is not higher than what the
+ client supports.</p>
+ <p>
+ Own Id: OTP-13753 Aux Id: seq13150 </p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 8.0</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Server now rejects, a not requested client cert, as an
+ incorrect handshake message and ends the connection.</p>
+ <p>
+ Own Id: OTP-13651</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ Remove default support for DES cipher suites</p>
+ <p>
+ *** POTENTIAL INCOMPATIBILITY ***</p>
+ <p>
+ Own Id: OTP-13195</p>
+ </item>
+ <item>
+ <p>
+ Deprecate the function <c>crypto:rand_bytes</c> and make
+ sure that <c>crypto:strong_rand_bytes</c> is used in all
+ places that are cryptographically significant.</p>
+ <p>
+ Own Id: OTP-13214</p>
+ </item>
+ <item>
+ <p>
+ Better error handling of user error during TLS upgrade.
+ ERL-69 is solved by gen_statem rewrite of ssl
+ application.</p>
+ <p>
+ Own Id: OTP-13255</p>
+ </item>
+ <item>
+ <p>
+ Provide user friendly error message when crypto rejects a
+ key</p>
+ <p>
+ Own Id: OTP-13256</p>
+ </item>
+ <item>
+ <p>
+ Add ssl:getstat/1 and ssl:getstat/2</p>
+ <p>
+ Own Id: OTP-13415</p>
+ </item>
+ <item>
+ <p>
+ TLS distribution connections now allow specifying the
+ options <c>verify_fun</c>, <c>crl_check</c> and
+ <c>crl_cache</c>. See the documentation. GitHub pull req
+ #956 contributed by Magnus Henoch.</p>
+ <p>
+ Own Id: OTP-13429 Aux Id: Pull#956 </p>
+ </item>
+ <item>
+ <p>
+ Remove confusing error message when closing a distributed
+ erlang node running over TLS</p>
+ <p>
+ Own Id: OTP-13431</p>
+ </item>
+ <item>
+ <p>
+ Remove default support for use of md5 in TLS 1.2
+ signature algorithms</p>
+ <p>
+ Own Id: OTP-13463</p>
+ </item>
+ <item>
+ <p>
+ ssl now uses gen_statem instead of gen_fsm to implement
+ the ssl connection process, this solves some timing
+ issues in addition to making the code more intuitive as
+ the behaviour can be used cleanly instead of having a lot
+ of workaround for shortcomings of the behaviour.</p>
+ <p>
+ Own Id: OTP-13464</p>
+ </item>
+ <item>
+ <p>
+ Phase out interoperability with clients that offer SSLv2.
+ By default they are no longer supported, but an option to
+ provide interoperability is offered.</p>
+ <p>
+ *** POTENTIAL INCOMPATIBILITY ***</p>
+ <p>
+ Own Id: OTP-13465</p>
+ </item>
+ <item>
+ <p>
+ OpenSSL has functions to generate short (eight hex
+ digits) hashes of issuers of certificates and CRLs. These
+ hashes are used by the "c_rehash" script to populate
+ directories of CA certificates and CRLs, e.g. in the
+ Apache web server. Add functionality to let an Erlang
+ program find the right CRL for a given certificate in
+ such a directory.</p>
+ <p>
+ Own Id: OTP-13530</p>
+ </item>
+ <item>
+ <p>
+ Some legacy TLS 1.0 software does not tolerate the 1/n-1
+ content split BEAST mitigation technique. Add a
+ beast_mitigation SSL option (defaulting to
+ one_n_minus_one) to select or disable the BEAST
+ mitigation technique.</p>
+ <p>
+ Own Id: OTP-13629</p>
+ </item>
+ <item>
+ <p>
+ Enhance error log messages to facilitate for users to
+ understand the error</p>
+ <p>
+ Own Id: OTP-13632</p>
+ </item>
+ <item>
+ <p>
+ Increased default DH params to 2048-bit</p>
+ <p>
+ Own Id: OTP-13636</p>
+ </item>
+ <item>
+ <p>
+ Propagate CRL unknown CA error so that public_key
+ validation process continues correctly and determines
+ what should happen.</p>
+ <p>
+ Own Id: OTP-13656</p>
+ </item>
+ <item>
+ <p>
+ Introduce a flight concept for handshake packages. This
+ is a preparation for enabling DTLS, however it can also
+ have a positive effects for TLS on slow and unreliable
+ networks.</p>
+ <p>
+ Own Id: OTP-13678</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
<section><title>SSL 7.3.3</title>
<section><title>Fixed Bugs and Malfunctions</title>
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-21 14:51:05 +0000