aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/doc/src/notes.xml
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssl/doc/src/notes.xml')
-rw-r--r--lib/ssl/doc/src/notes.xml356
1 files changed, 355 insertions, 1 deletions
diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
index 0b28b1ebd4..4349e5a456 100644
--- a/lib/ssl/doc/src/notes.xml
+++ b/lib/ssl/doc/src/notes.xml
@@ -25,7 +25,361 @@
<file>notes.xml</file>
</header>
<p>This document describes the changes made to the SSL application.</p>
- <section><title>SSL 5.3.3</title>
+ <section><title>SSL 5.3.8</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Make sure the clean rule for ssh, ssl, eunit and otp_mibs
+ actually removes generated files.</p>
+ <p>
+ Own Id: OTP-12200</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ Change code to reflect that state data may be secret to
+ avoid breaking dialyzer contracts.</p>
+ <p>
+ Own Id: OTP-12341</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 5.3.7</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Handle the fact that servers may send an empty SNI
+ extension to the client.</p>
+ <p>
+ Own Id: OTP-12198</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 5.3.6</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Corrected handling of ECC certificates, there where
+ several small issues with the handling of such
+ certificates in the ssl and public_key application. Now
+ ECC signed ECC certificates shall work and not only RSA
+ signed ECC certificates.</p>
+ <p>
+ Own Id: OTP-12026</p>
+ </item>
+ <item>
+ <p>
+ Check that the certificate chain ends with a trusted ROOT
+ CA e.i. a self-signed certificate, but provide an option
+ partial_chain to enable the application to define an
+ intermediat CA as trusted.</p>
+ <p>
+ Own Id: OTP-12149</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ Add decode functions for SNI (Server Name Indication)</p>
+ <p>
+ Own Id: OTP-12048</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 5.3.5</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ ssl:recv now returns {error, einval} if applied to a non
+ passive socket, the same as gen_tcp:recv. </p>
+ <p>
+ Thanks to Danil Zagoskin for reporting this issue</p>
+ <p>
+ Own Id: OTP-11878</p>
+ </item>
+ <item>
+ <p>
+ Corrected handling of default values for
+ signature_algorithms extension in TLS-1.2 and
+ corresponding values used in previous versions that does
+ not support this extension. </p>
+ <p>
+ Thanks to Danil Zagoskin</p>
+ <p>
+ Own Id: OTP-11886</p>
+ </item>
+ <item>
+ <p>
+ Handle socket option inheritance when pooling of accept
+ sockets is used</p>
+ <p>
+ Own Id: OTP-11897</p>
+ </item>
+ <item>
+ <p>
+ Make sure that the list of versions, possibly supplied in
+ the versions option, is not order dependent.</p>
+ <p>
+ Thanks to Ransom Richardson for reporting this issue</p>
+ <p>
+ Own Id: OTP-11912</p>
+ </item>
+ <item>
+ <p>
+ Reject connection if the next_protocol message is sent
+ twice.</p>
+ <p>
+ Own Id: OTP-11926</p>
+ </item>
+ <item>
+ <p>
+ Correct options handling when ssl:ssl_accept/3 is called
+ with new ssl options after calling ssl:listen/2</p>
+ <p>
+ Own Id: OTP-11950</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ Gracefully handle unknown alerts</p>
+ <p>
+ Thanks to Atul Atri for reporting this issue</p>
+ <p>
+ Own Id: OTP-11874</p>
+ </item>
+ <item>
+ <p>
+ Gracefully ignore cipher suites sent by client not
+ supported by the SSL/TLS version that the client has
+ negotiated.</p>
+ <p>
+ Thanks to Danil Zagoskin for reporting this issue</p>
+ <p>
+ Own Id: OTP-11875</p>
+ </item>
+ <item>
+ <p>
+ Gracefully handle structured garbage, i.e a client sends
+ some garbage in a ssl record instead of a valid fragment.</p>
+ <p>
+ Thanks to Danil Zagoskin</p>
+ <p>
+ Own Id: OTP-11880</p>
+ </item>
+ <item>
+ <p>
+ Gracefully handle invalid alerts</p>
+ <p>
+ Own Id: OTP-11890</p>
+ </item>
+ <item>
+ <p>
+ Generalize handling of default ciphers</p>
+ <p>
+ Thanks to Andreas Schultz</p>
+ <p>
+ Own Id: OTP-11966</p>
+ </item>
+ <item>
+ <p>
+ Make sure change cipher spec is correctly handled</p>
+ <p>
+ Own Id: OTP-11975</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 5.3.4</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Fix incorrect dialyzer spec and types, also enhance
+ documentation. </p>
+ <p>
+ Thanks to Ayaz Tuncer.</p>
+ <p>
+ Own Id: OTP-11627</p>
+ </item>
+ <item>
+ <p>
+ Fix possible mismatch between SSL/TLS version and default
+ ciphers. Could happen when you specified SSL/TLS-version
+ in optionlist to listen or accept.</p>
+ <p>
+ Own Id: OTP-11712</p>
+ </item>
+ <item>
+ <p>
+ Application upgrade (appup) files are corrected for the
+ following applications: </p>
+ <p>
+ <c>asn1, common_test, compiler, crypto, debugger,
+ dialyzer, edoc, eldap, erl_docgen, et, eunit, gs, hipe,
+ inets, observer, odbc, os_mon, otp_mibs, parsetools,
+ percept, public_key, reltool, runtime_tools, ssh,
+ syntax_tools, test_server, tools, typer, webtool, wx,
+ xmerl</c></p>
+ <p>
+ A new test utility for testing appup files is added to
+ test_server. This is now used by most applications in
+ OTP.</p>
+ <p>
+ (Thanks to Tobias Schlager)</p>
+ <p>
+ Own Id: OTP-11744</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ Moved elliptic curve definition from the crypto
+ NIF/OpenSSL into Erlang code, adds the RFC-5639 brainpool
+ curves and makes TLS use them (RFC-7027).</p>
+ <p>
+ Thanks to Andreas Schultz</p>
+ <p>
+ Own Id: OTP-11578</p>
+ </item>
+ <item>
+ <p>
+ Unicode adaptations</p>
+ <p>
+ Own Id: OTP-11620</p>
+ </item>
+ <item>
+ <p>
+ Added option honor_cipher_order. This instructs the
+ server to prefer its own cipher ordering rather than the
+ client's and can help protect against things like BEAST
+ while maintaining compatability with clients which only
+ support older ciphers. </p>
+ <p>
+ Thanks to Andrew Thompson for the implementation, and
+ Andreas Schultz for the test cases.</p>
+ <p>
+ Own Id: OTP-11621</p>
+ </item>
+ <item>
+ <p>
+ Replace boolean checking in validate_option with
+ is_boolean guard. </p>
+ <p>
+ Thanks to Andreas Schultz.</p>
+ <p>
+ Own Id: OTP-11634</p>
+ </item>
+ <item>
+ <p>
+ Some function specs are corrected or moved and some edoc
+ comments are corrected in order to allow use of edoc.
+ (Thanks to Pierre Fenoll)</p>
+ <p>
+ Own Id: OTP-11702</p>
+ </item>
+ <item>
+ <p>
+ Correct clean up of certificate database when certs are
+ inputed in pure DER format.The incorrect code could cause
+ a memory leek when certs where inputed in DER. Thanks to
+ Bernard Duggan for reporting this.</p>
+ <p>
+ Own Id: OTP-11733</p>
+ </item>
+ <item>
+ <p>
+ Improved documentation of the cacertfile option</p>
+ <p>
+ Own Id: OTP-11759 Aux Id: seq12535 </p>
+ </item>
+ <item>
+ <p>
+ Avoid next protocol negotiation failure due to incorrect
+ option format.</p>
+ <p>
+ Own Id: OTP-11760</p>
+ </item>
+ <item>
+ <p>
+ Handle v1 CRLs, with no extensions and fixes issues with
+ IDP (Issuing Distribution Point) comparison during CRL
+ validation. </p>
+ <p>
+ Thanks to Andrew Thompson</p>
+ <p>
+ Own Id: OTP-11761</p>
+ </item>
+ <item>
+ <p>
+ Server now ignores client ECC curves that it does not
+ support instead of crashing. </p>
+ <p>
+ Thanks to Danil Zagoskin for reporting the issue and
+ suggesting a solution.</p>
+ <p>
+ Own Id: OTP-11780</p>
+ </item>
+ <item>
+ <p>
+ Handle SNI (Server Name Indication) alert
+ unrecognized_name and gracefully deal with unexpected
+ alerts. </p>
+ <p>
+ Thanks to Masatake Daimon for reporting this.</p>
+ <p>
+ Own Id: OTP-11815</p>
+ </item>
+ <item>
+ <p>
+ Add possibility to specify ssl options when calling
+ ssl:ssl_accept</p>
+ <p>
+ Own Id: OTP-11837</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 5.3.3</title>
<section><title>Fixed Bugs and Malfunctions</title>
<list>
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-16 16:56:46 +0000