aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/doc/src/notes.xml
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssl/doc/src/notes.xml')
-rw-r--r--lib/ssl/doc/src/notes.xml1132
1 files changed, 1132 insertions, 0 deletions
diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
new file mode 100644
index 0000000000..14dfe616ba
--- /dev/null
+++ b/lib/ssl/doc/src/notes.xml
@@ -0,0 +1,1132 @@
+<?xml version="1.0" encoding="latin1" ?>
+<!DOCTYPE chapter SYSTEM "chapter.dtd">
+
+<chapter>
+ <header>
+ <copyright>
+ <year>1999</year><year>2009</year>
+ <holder>Ericsson AB. All Rights Reserved.</holder>
+ </copyright>
+ <legalnotice>
+ The contents of this file are subject to the Erlang Public License,
+ Version 1.1, (the "License"); you may not use this file except in
+ compliance with the License. You should have received a copy of the
+ Erlang Public License along with this software. If not, it can be
+ retrieved online at http://www.erlang.org/.
+
+ Software distributed under the License is distributed on an "AS IS"
+ basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+ the License for the specific language governing rights and limitations
+ under the License.
+
+ </legalnotice>
+
+ <title>SSL Release Notes</title>
+ <prepared>Peter H&ouml;gfeldt</prepared>
+ <docno></docno>
+ <date>2003-08-03</date>
+ <rev>G</rev>
+ <file>notes.xml</file>
+ </header>
+ <p>This document describes the changes made to the SSL application.
+ </p>
+
+<section><title>SSL 3.10.7</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ A ticker process could potentially be blocked
+ indefinitely trying to send a tick to a node not
+ responding. If this happened, the connection would not be
+ brought down as it should.</p>
+ <p> This requires erts-5.7.4 and kernel-2.13.4 or later
+ to be able to get the erlang distribution over ssl to work.</p>
+ <p>
+ Own Id: OTP-8218</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ The documentation is now built with open source tools
+ (xsltproc and fop) that exists on most platforms. One
+ visible change is that the frames are removed.</p>
+ <p>
+ Own Id: OTP-8250</p>
+ </item>
+ <item>
+ <p>
+ Code cleanup from Kostis.</p>
+ <p>
+ Own Id: OTP-8260</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 3.10.6</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ The ssl:ssl_accept/3 issue was not properly fixed in the
+ previous patch, see OTP-8244.</p>
+ <p>
+ Own Id: OTP-8275 Aux Id: seq11451 </p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 3.10.5</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Allow clients to not send certificates if option
+ <c>fail_if_no_peer_cert</c> was not set.</p>
+ <p>
+ Own Id: OTP-8224</p>
+ </item>
+ <item>
+ <p>A ssl:ssl_accept/3 could crash a connection if the
+ timing was wrong.</p> <p>Removed info message if the
+ socket closed without a proper disconnect from the ssl
+ layer. </p> <p>ssl:send/2 is now blocking until the
+ message is sent.</p>
+ <p>
+ Own Id: OTP-8244 Aux Id: seq11420 </p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 3.10.4</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ A client could avoid a certificate check if the client
+ code didn't send the requested certificate.</p>
+ <p>
+ Own Id: OTP-8137</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 3.10.3</title>
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>Packet handling was not implemented correctly.</p>
+ <p>Inet option handling support have been improved.</p>
+ <p>The <c>verify_fun</c> is now invoked even if
+ verify_peer is used, that implies that by default
+ {bad_cert,unknown_ca} is an accepted fault during the
+ client connection phase. The check can still be done by
+ suppling another verify_fun.</p>
+ <p>
+ Own Id: OTP-8011 Aux Id: seq11287 </p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+
+<section><title>SSL 3.10.2</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ A "new_ssl" socket was not closed if the controlling
+ process died without calling ssl:close/1.</p>
+ <p>
+ Own Id: OTP-7963 Aux Id: seq11276 </p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 3.10.1</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Fixed bug that caused the ssl handshake finished message
+ to be calculated wrongly under the circumstances that the
+ server did not send the trusted cert and that the
+ previous cert did not have the extension telling us the
+ trusted certs name. This manifested it self as
+ bad_record_mac alert from the server.</p>
+ <p>
+ Own Id: OTP-7878</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ The cacertsfile option is now optional for ssl servers.</p>
+ <p>
+ Own Id: OTP-7656</p>
+ </item>
+ <item>
+ <p>
+ For the ssl client the options cacertfile, certfile and
+ keyfile are now optional as they are not always needed
+ depending on configuration of the client itself and the
+ configuration of the server. Also as PEM-files may
+ contain more than one entry the keyfile option will
+ default to the same file as given by the certfile option.</p>
+ <p>
+ Own Id: OTP-7870</p>
+ </item>
+ <item>
+ <p>
+ Added new ssl client option verify_fun.</p>
+ <p>
+ Own Id: OTP-7871</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+ <section><title>SSL 3.10</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Error log entries are now formatted correctly.</p>
+ <p>
+ Own Id: OTP-7258</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ All handling of X509-certificates and public keys have
+ been moved to the new application public_key.</p>
+ <p>
+ Own Id: OTP-6894</p>
+ </item>
+ <item>
+ <p>
+ New ssl now supports SSL-3.0 and TLS-1.0</p>
+ <p>
+ Own Id: OTP-7037</p>
+ </item>
+ <item>
+ <p>
+ New ssl now supports all inet-packet types.</p>
+ <p>
+ Own Id: OTP-7039</p>
+ </item>
+ <item>
+ <p>
+ The new ssl-server is now able to send a certificate
+ request to the client. However new options may be
+ introduced later to fully support all features regarding
+ certificate requests.</p>
+ <p>
+ Own Id: OTP-7150</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Known Bugs and Problems</title>
+ <list>
+ <item>
+ <p>
+ Running erlang distribution over ssl don't work as
+ described in the documentation.</p>
+ <p>
+ Own Id: OTP-7536</p>
+ </item>
+ </list>
+ </section>
+
+ </section>
+
+
+ <section><title>SSL 3.9</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ ssl_prim.erl was passing an FD rather than an #sslsocket
+ to ssl_broker:ssl_accept_prim. This could cause problems
+ in the deprecated accept function, this will not cause
+ any more problems however this function is deprecated!</p>
+ <p>
+ Own Id: OTP-6926</p>
+ </item>
+ <item>
+ <p>
+ Erlang distribution over ssl was broken after R11B-0,
+ this has now been fixed.</p>
+ <p>
+ Own Id: OTP-7004</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ All inet options are available in the new ssl
+ implementation that is released as a alfa in ssl-3.9 and
+ will replace the old implementation in ssl-4.0. This will
+ not be fixed in the old implementation.</p>
+ <p>
+ Own Id: OTP-4677</p>
+ </item>
+ <item>
+ <p>
+ The new ssl implementation released as a alfa in this
+ version supports upgrading of a tcp connection to a ssl
+ connection so that http client and servers may implement
+ RFC 2817.</p>
+ <p>
+ Own Id: OTP-5510</p>
+ </item>
+ <item>
+ <p>A new implementation of ssl is released as a alfa
+ version in ssl-3.9 it will later replace the old
+ implementation in ssl-4.0. The new implementation can be
+ accessed by providing the option {ssl_imp, new} to the
+ ssl:connect and ssl:listen functions.</p>
+ <p>The new implementation is Erlang based and all logic
+ is in Erlang and only payload encryption calculations are
+ done in C via the crypto application. The main reason for
+ making a new implementation is that the old solution was
+ very crippled as the control of the ssl-socket was deep
+ down in openssl making it hard if not impossible to
+ support all inet options, ipv6 and upgrade of a tcp
+ connection to a ssl connection. The alfa version has a
+ few limitations that will be removed before the ssl-4.0
+ release. Main differences and limitations in the alfa are
+ listed below.</p>
+
+ <list type="bulleted"> <item>New ssl requires the crypto
+ application.</item> <item>The option reuseaddr is
+ supported and the default value is false as in gen_tcp.
+ Old ssl is patched to accept that the option is set to
+ true to provide a smoother migration between the
+ versions. In old ssl the option is hard coded to
+ true.</item> <item>ssl:version/0 is replaced by
+ ssl:versions/0</item> <item>ssl:ciphers/0 is replaced by
+ ssl:cipher_suites/0</item> <item>ssl:pid/1 is a
+ meaningless function in new ssl and will be deprecated in
+ ssl-4.0 until it is removed it will return a valid but
+ meaningless pid.</item> <item>New API functions are
+ ssl:shutdown/2, ssl:cipher_suites/[0,1] and
+ ssl:versions/0</item> <item>Diffie-Hellman keyexchange is
+ not supported.</item> <item>Not all inet packet types are
+ supported.</item> <item>CRL and policy certificate
+ extensions are not supported.</item> <item>In this alfa
+ only sslv3 is enabled, although tlsv1 and tlsv1.1
+ versions are implemented and will be supported in future
+ versions.</item> <item>For security reasons sslv2 is not
+ supported.</item> </list>
+ <p>
+ Own Id: OTP-6619</p>
+ </item>
+ <item>
+ <p>
+ New ssl implementation, released as alfa in ssl-3.9,
+ supports ipv6. It will not be supported in the old
+ implementation.</p>
+ <p>
+ Own Id: OTP-6637 Aux Id: OTP-6636 </p>
+ </item>
+ </list>
+ </section>
+
+ </section>
+
+ <section>
+ <title>SSL 3.1.1.1</title>
+
+ <section>
+ <title>Minor Makefile changes</title>
+ <list type="bulleted">
+ <item>
+ <p>Removed use of <c>erl_flags</c> from Makefile.</p>
+ <p>Own Id: OTP-6689</p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>SSL 3.1.1</title>
+
+ <section>
+ <title>Crash on error in ssl_accept</title>
+ <list type="bulleted">
+ <item>
+ <p>A bug in ssl_accept could cause all ssl
+ connections to hang when a connection
+ attempt was closed by the client while
+ the server was in <c>ssl_accept</c>.</p>
+ <p>Own Id: OTP-6612 Aux Id: seq10599</p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>SSL 3.1</title>
+
+ <section>
+ <title>Fixed Bugs and Malfunctions</title>
+ <list type="bulleted">
+ <item>
+ <p>SSL now uses a two-phase accept, with a separate accept
+ calls for the socket and the ssl protocol. This avoids
+ timeouts when a client doesn't initiate ssl handshake.</p>
+ <p>With the old implementation of accept, the server
+ was locked by a client, if the client didn't do
+ proper ssl handshake.</p>
+ <p>Own Id: OTP-6418 Aux Id: seq10105</p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>SSL 3.0.12</title>
+
+ <section>
+ <title>Fixed Bugs and Malfunctions</title>
+ <list type="bulleted">
+ <item>
+ <p>An integer array pointing to a struct pollfd array, is
+ now reset before file descriptors are collected to be
+ included in a call to poll(). This is to prevent file
+ descriptors to be mixed up.</p>
+ <p>Own Id: OTP-6084</p>
+ </item>
+ <item>
+ <p>The generation of the module ssl_pkix_oid contained
+ multiple identifiers, which made the mapping between
+ atoms and identifiers not one-to-one.</p>
+ <p>Own Id: OTP-6085</p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>SSL 3.0.11</title>
+
+ <section>
+ <title>Fixed Bugs and Malfunctions</title>
+ <list type="bulleted">
+ <item>
+ <p>The state of a connection in active mode could be in a
+ restrictive state, so that an internal tcp_closed message
+ was incorrectly considered illegal, resulting in a
+ premature termination of the connection process.</p>
+ <p>Own Id: OTP-5972 Aux Id: seq10188 </p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>SSL 3.0.10</title>
+
+ <section>
+ <title>Fixed Bugs and Malfunctions</title>
+ <list type="bulleted">
+ <item>
+ <p>Erlang distribution over SSL was broken. Corrected.
+ (Thanks to Fredrik Thulin.)</p>
+ <p>Own Id: OTP-5863</p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>SSL 3.0.9</title>
+
+ <section>
+ <title>Fixed Bugs and Malfunctions</title>
+ <list type="bulleted">
+ <item>
+ <p>The port program for the ssl application could waste huge
+ amounts of CPU time if a write could not be completed
+ directly and was put in the write queue. (Only on platforms
+ where poll() is used, such as Solaris and Linux.)</p>
+ <p>Own Id: OTP-5784</p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>SSL 3.0.8</title>
+
+ <section>
+ <title>Fixed Bugs and Malfunctions</title>
+ <list type="bulleted">
+ <item>
+ <p>A process reading only a portion of a sufficiently large
+ amount of data from an accepted socket, and then quering
+ the ssl library (e.g. ssl:getpeername()), would cause a
+ global deadlock in the esock port program.</p>
+ <p>Own Id: OTP-5702</p>
+ </item>
+ <item>
+ <p>A spelling error in the module <c>ssl_pkix</c> caused the
+ call to <c>ssl:peercert/2</c> to fail when the option
+ <c>subject</c> was used.</p>
+ <p>Own Id: OTP-5708</p>
+ </item>
+ <item>
+ <p>Because fopen() on Solaris 8 can't handle file
+ descriptor numbers above 255, reading of certificate
+ files would fail if all file descriptors below 256 were
+ in use (typically, if many connections were open). This
+ problem has been worked around.</p>
+ <p>The ssl application's port program used to use
+ select(), which meant that it could not handle more than
+ FD_SETSIZE file descriptors (usually 1024). To eliminate
+ that limitation, poll() is now used on all platforms that
+ support it.</p>
+ <p>Solaris/Sparc, 64-bit emulator: The SO_REUSEADDR
+ option was not set for listen sockets, which essentially
+ made the ssl application unusable. Corrected.</p>
+ <p>The default listen queue size for ssl port program was
+ changed to 128 (from 5).</p>
+ <p>Own Id: OTP-5755 Aux Id: seq10068 </p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>Ssl 3.0.7</title>
+
+ <section>
+ <title>Fixed Bugs and Malfunctions</title>
+ <list type="bulleted">
+ <item>
+ <p>The R/W buffer length i esock.c was too small. It has
+ been increased from 4k to 32k.</p>
+ <p>Own Id: OTP-5620</p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>Ssl 3.0.6</title>
+
+ <section>
+ <title>Improvements and New Features</title>
+ <list type="bulleted">
+ <item>
+ <p>A configuration option for choosing protocol versions has
+ been added (<c>sslv2</c>, <c>sslv3</c>, and
+ <c>tlsv1</c>).</p>
+ <p>Own Id: OTP-5429 Aux Id: seq9755 </p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>Ssl 3.0.5</title>
+
+ <section>
+ <title>Fixed Bugs and Malfunctions</title>
+ <list type="bulleted">
+ <item>
+ <p>Linked in drivers in the crypto, and asn1 applications
+ are now compiled with the -D_THREAD_SAFE and -D_REENTRANT
+ switches on unix when the emulator has thread support
+ enabled.</p>
+ <p>Linked in drivers on MacOSX are not compiled with the
+ undocumented -lbundle1.o switch anymore. Thanks to Sean
+ Hinde who sent us a patch.</p>
+ <p>Linked in driver in crypto, and port programs in ssl, now
+ compiles on OSF1.</p>
+ <p>Minor makefile improvements in runtime_tools.</p>
+ <p>Own Id: OTP-5346</p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>Ssl 3.0.4</title>
+
+ <section>
+ <title>Fixed Bugs and Malfunctions</title>
+ <list type="bulleted">
+ <item>
+ <p><c>ssl:recv/3</c> with finite timeout value, closed the
+ connection at timeout.</p>
+ <p>Own Id: OTP-4882</p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>Ssl 3.0.3</title>
+
+ <section>
+ <title>Fixed Bugs and Malfunctions</title>
+ <list type="bulleted">
+ <item>
+ <p>When a file descriptor was marked for closing, and and
+ end-of-file condition had already been detected, the file
+ descriptor was never closed.</p>
+ <p>Own Id: OTP-5093 Aux Id: seq8806 </p>
+ </item>
+ <item>
+ <p>When the number of open file descriptors reached
+ FD_SETSIZE, the SSL port program entered a busy loop.</p>
+ <p>Own Id: OTP-5094 Aux Id: seq8806 </p>
+ </item>
+ </list>
+ </section>
+
+ <section>
+ <title>Improvements and New Features</title>
+ <list type="bulleted">
+ <item>
+ <p>The SSL application now supports SSL sessions for
+ servers, which typically speeds up HTTP requests from
+ browsers.</p>
+ <p>Own Id: OTP-5095</p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>SSL 3.0.2</title>
+
+ <section>
+ <title>Fixed Bugs and Malfunctions</title>
+ <list type="bulleted">
+ <item>
+ <p>The UTF8String type is now defined in asn1-1.4.4.2 and
+ later. Therefore the definitions of UTF8String has been
+ removed from the ASN.1 modules PKIX1Explicit88.asn1 and
+ PKIXAttributeCertificate.asn1. The SSL application can now
+ only be built using asn-1.4.4.2 or later.</p>
+ <p>OwnId: OTP-4971.</p>
+ </item>
+ </list>
+ </section>
+
+ <section>
+ <title>Known Bugs and Problems</title>
+ <p>See SSL-3.0.
+ </p>
+ </section>
+ </section>
+
+ <section>
+ <title>SSL 3.0.1</title>
+
+ <section>
+ <title>Fixed Bugs and Malfunctions</title>
+ <list type="bulleted">
+ <item>
+ <p>An unexpected object identifier would crash <c>ssl:peercert</c>. </p>
+ <p>OwnId: OTP-4771.</p>
+ </item>
+ </list>
+ </section>
+
+ <section>
+ <title>Known Bugs and Problems</title>
+ <p>See SSL-3.0.
+ </p>
+ </section>
+ </section>
+
+ <section>
+ <title>SSL 3.0</title>
+
+ <section>
+ <title>Improvements and New Features</title>
+ <list type="bulleted">
+ <item>
+ <p>The <c>cache_timout</c> option was silently ignored. It had
+ to do with SSL sessions, where multiple connections can occur.
+ Since the Erlang SSL application does not support sessions the
+ option is still ignored, and consequently the documentation
+ about it has been removed.</p>
+ <p>OwnId: OTP-3146</p>
+ </item>
+ <item>
+ <p>The Erlang SSL application is now based on OpenSSL version
+ 0.9.7a. OpenSSL 0.9.6 should also work.</p>
+ <p>OwnId: OTP-4002</p>
+ </item>
+ <item>
+ <p>When connecting it is now possible to bind to a local address
+ and local port. </p>
+ <p>OwnId: OTP-4675</p>
+ </item>
+ <item>
+ <p>The <c>ssl_esock</c> port program is now part of the
+ distribution and thus does not have to be created
+ explicitly. It is dynamically linked to OpenSSL
+ libraries in a "standard" location (typically
+ <c>/usr/local/lib</c> on UNIX; in the path on Win32).</p>
+ <p>OwnId:
+ OTP-4676</p>
+ </item>
+ <item>
+ <p>The new functions <c>ssl:peercert/1/2</c> provide information
+ from the certificate of a peer of a connection.</p>
+ <p>OwnId: OTP-4680
+ <br></br>
+Aux Id: seq7688</p>
+ </item>
+ <item>
+ <p>The function <c>ssl:port/1</c> has been removed from the
+ documentation, but not from the <c>ssl</c> interface module.
+ The recommendation is to use <c>ssl:peername/1</c>
+ instead, which provides both address and port of the peer.</p>
+ <p>OwnId: OTP-4681 </p>
+ </item>
+ <item>
+ <p>New User's Guide documentation has been added.</p>
+ <p>OwnId: OTP-4682 </p>
+ </item>
+ <item>
+ <p>The old <c>ssl_socket</c> interface has been removed and also
+ the documentation of it. </p>
+ <p>OwnId: OTP-4683 </p>
+ </item>
+ <item>
+ <p>The use of ephemeral RSA keys is now supported. It is
+ a global configuration option (see the ssl(6) manual page).</p>
+ <p>OwnId: OTP-4691.</p>
+ </item>
+ </list>
+ </section>
+
+ <section>
+ <title>Fixed Bugs and Malfunctions</title>
+ <list type="bulleted">
+ <item>
+ <p>The option <c>cacertfile</c> is now in effect, and can
+ therefore no longer be set with the OS environment
+ variable SSL_CERT_FILE (which did set the same value for
+ all connections). </p>
+ <p>OwnId: OTP-3146</p>
+ </item>
+ <item>
+ <p>There was a synchronization error at closing of an SSL
+ connection. </p>
+ <p>OwnId: OTP-4435
+ <br></br>
+Aux Id: seq7534</p>
+ </item>
+ <item>
+ <p>C macros in <c>debuglog.c</c> were not ANSI C compliant.</p>
+ <p>OwnId: OTP-4674</p>
+ </item>
+ <item>
+ <p>The <c>binary</c> option was not properly handled.</p>
+ <p>OwnId: OTP-4678</p>
+ </item>
+ <item>
+ <p>The <c>ssl:format_error/1</c> did not consider <c>inet</c>
+ error codes, nor did it have a catch all for unknown error
+ codes.</p>
+ <p>OwnId: OTP-4679</p>
+ </item>
+ </list>
+ </section>
+
+ <section>
+ <title>Known Bugs and Problems</title>
+ <list type="bulleted">
+ <item>
+ <p>Change of controlling process in not OTP compliant. </p>
+ <p>OwnId; OTP-4712</p>
+ </item>
+ <item>
+ <p>There is still no way to restrict the cipher sizes. </p>
+ <p>OwnId: OTP-4712</p>
+ </item>
+ <item>
+ <p>The <c>keep_alive</c> and <c>reuse_addr</c> options will be
+ added in a future release. </p>
+ <p>OwnId: OTP-4677</p>
+ </item>
+ <item>
+ <p>There is currently no way to restrict the SSL/TLS
+ protocol versions to use. In a future release this will be
+ supported as a configuration option, and as an option for
+ each connection as well. </p>
+ <p>OwnId: OTP-4711.</p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>SSL 2.3.6</title>
+
+ <section>
+ <title>Fixed Bugs and Malfunctions</title>
+ <list type="bulleted">
+ <item>
+ <p>There was a synchronization error at closing, which could
+ result in that an SSL socket was removed prematurely, resulting
+ in that a user process referring to it received an unexpected
+ exit.</p>
+ <p>OwnId: OTP-4435
+ <br></br>
+Aux Id: seq7600</p>
+ </item>
+ </list>
+ </section>
+
+ <section>
+ <title>Known Bugs and Problems</title>
+ <p>See SSL 2.2 . </p>
+ </section>
+ </section>
+
+ <section>
+ <title>SSL 2.3.5</title>
+
+ <section>
+ <title>Fixed Bugs and Malfunctions</title>
+ <list type="bulleted">
+ <item>
+ <p>Setting of the option `nodelay' caused the SSL port program
+ to dump core.</p>
+ <p>OwnId: OTP-4380
+ <br></br>
+Aux Id: -</p>
+ </item>
+ <item>
+ <p>Setting of the option '{active, once}' in <c>setopts</c> was
+ wrong, causing a correct socket message to be regarded as
+ erroneous. </p>
+ <p>OwnId: OTP-4380
+ <br></br>
+Aux Id: -</p>
+ </item>
+ <item>
+ <p>A self-signed peer certificate was always rejected with the
+ error `eselfsignedcert', irrespective of the `depth' value. </p>
+ <p>OwnId: OTP-4374
+ <br></br>
+Aux Id: seq7417</p>
+ </item>
+ </list>
+ </section>
+
+ <section>
+ <title>Known Bugs and Problems</title>
+ <p>See SSL 2.2 . </p>
+ </section>
+ </section>
+
+ <section>
+ <title>SSL 2.3.4</title>
+
+ <section>
+ <title>Improvements and New Features</title>
+ <list type="bulleted">
+ <item>
+ <p>All TCP options allowed in gen_tcp, are now also allowed in
+ SSL, except the option <c>{reuseaddr, Boolean}</c>. A new
+ function <c>getopts</c> has been added to the SSL interface
+ module <c>ssl</c>. </p>
+ <p>OwnId: OTP-4305, OTP-4159</p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>SSL 2.3.3</title>
+
+ <section>
+ <title>Fixed Bugs and Malfunctions</title>
+ <list type="bulleted">
+ <item>
+ <p>The roles of the SSLeay and OpenSSL packages has been
+ clarified in the ssl(6) application manual page. Also
+ the URLs from which to download SSLeay has been updated.</p>
+ <p>OwnId: OTP-4002
+ <br></br>
+Aux Id: seq5269</p>
+ </item>
+ <item>
+ <p>A call to <c>ssl:listen(Port, Options)</c> with
+ <c>Options = []</c> resulted in the cryptic <c>{error, ebadf}</c> return value. The return value has been changed
+ to <c>{error, enooptions}</c>, and the behaviour has been
+ documented in the <c>listen/2</c> function.</p>
+ <p>OwnId: OTP-4016
+ <br></br>
+Aux Id: seq7006</p>
+ </item>
+ <item>
+ <p>Use of the option <c>{nodelay, boolean()}</c> crashed
+ the <c>ssl_server</c>.</p>
+ <p>OwnId: OTP-4070
+ <br></br>
+Aux Id:</p>
+ </item>
+ <item>
+ <p>A bug caused the Erlang distribution over ssl to fail.
+ This bug has now been fixed.</p>
+ <p>OwnId: OTP-4072
+ <br></br>
+Aux Id:</p>
+ </item>
+ <item>
+ <p>On Windows when the SSL port program encountered an
+ error code not anticipated it crashed. </p>
+ <p>OwnId: OTP-4132
+ <br></br>
+Aux Id:</p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>SSL 2.3.2</title>
+
+ <section>
+ <title>Fixed Bugs and Malfunctions</title>
+ <list type="bulleted">
+ <item>
+ <p>The <c>ssl:accept/1-2</c> function sometimes returned
+ <c>{error, {What, Where}}</c> instead of <c>{error, What}</c>, where <c>What</c> is an atom. </p>
+ <p>OwnId: OTP-3775
+ <br></br>
+Aux Id: seq4991</p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>SSL 2.3.1</title>
+
+ <section>
+ <title>Fixed Bugs and Malfunctions</title>
+ <list type="bulleted">
+ <item>
+ <p>Sometimes the SSL portprogram would loop in an accept
+ loop, without terminating even when the SSL application
+ was stopped.. </p>
+ <p>OwnId: OTP-3691</p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>SSL 2.3</title>
+ <p>Functions have been added to SSL to experimentally support
+ Erlang distribution.
+ </p>
+ </section>
+
+ <section>
+ <title>SSL 2.2.1</title>
+ <p>The 2.2.1 version of SSL provides code replacement in runtime
+ by upgrading from, or downgrading to, versions 2.1 and 2.2.
+ </p>
+ </section>
+
+ <section>
+ <title>SSL 2.2</title>
+
+ <section>
+ <title>Improvements and New Features</title>
+ <list type="bulleted">
+ <item>
+ <p>The restriction that only the creator of an SSL socket can
+ read from and write to the socket has been lifted.</p>
+ <p>OwnId: OTP-3301</p>
+ </item>
+ <item>
+ <p>The option <c>{packet, cdr}</c> for SSL sockets has been added,
+ which means that SSL sockets also supports CDR encoded packets.</p>
+ <p>OwnId: OTP-3302</p>
+ </item>
+ </list>
+ </section>
+
+ <section>
+ <title>Known Bugs and Problems</title>
+ <list type="bulleted">
+ <item>
+ <p>Setting of a CA certificate file with the <c>cacertfile</c>
+ option (in calls to <c>ssl:accept/1/2</c> or
+ <c>ssl:connect/3/4</c>) does not work due to weaknesses
+ in the SSLeay package. </p>
+ <p>A work-around is to set the OS environment variable
+ <c>SSL_CERT_FILE</c> before SSL is started. However, then
+ the CA certificate file will be global for all connections.</p>
+ <p>OwnId: OTP-3146</p>
+ </item>
+ <item>
+ <p>When changing controlling process of an SSL socket, a
+ temporary process is started, which is not gen_server
+ compliant.</p>
+ <p>OwnId: OTP-3146</p>
+ </item>
+ <item>
+ <p>Although there is a <c>cache</c> timeout option, it is
+ silently ignored.</p>
+ <p>OwnId: OTP-3146</p>
+ </item>
+ <item>
+ <p>There is currently no way to restrict the cipher sizes.</p>
+ <p>OwnId: OTP-3146</p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>SSL 2.1</title>
+
+ <section>
+ <title>Improvements and New Features</title>
+ <list type="bulleted">
+ <item>
+ <p>The set of possible error reasons has been extended to
+ contain diagnostics on erroneous certificates and failures
+ to verify certificates.</p>
+ <p>OwnId: OTP-3145</p>
+ </item>
+ <item>
+ <p>The maximum number of simultaneous SSL connections on
+ Windows has been increased from 31 to 127.</p>
+ <p>OwnId: OTP-3145</p>
+ </item>
+ </list>
+ </section>
+
+ <section>
+ <title>Fixed Bugs and Malfunctions</title>
+ <list type="bulleted">
+ <item>
+ <p>A dead-lock occurring when write queues are not empty has
+ been removed. </p>
+ <p>OwnId: OTP-3145</p>
+ </item>
+ <item>
+ <p>Error reasons have been unified and changed.</p>
+ <p>(** POTENTIAL INCOMPATIBILITY **)</p>
+ <p>OwnId: OTP-3145</p>
+ </item>
+ <item>
+ <p>On Windows a check of the existence of the environment
+ variable <c>ERLSRV_SERVICE_NAME</c> has been added. If
+ that variable is defined, the port program of the SSL
+ application will not terminated when a user logs off.</p>
+ <p>OwnId: OTP-3145</p>
+ </item>
+ <item>
+ <p>An error in the setting of the <c>nodelay</c> option
+ has been corrected.</p>
+ <p>OwnId: OTP-3145</p>
+ </item>
+ <item>
+ <p>The confounded notions of verify mode and verify depth has
+ been corrected. The option <c>verifydepth</c> has been
+ removed, and the two separate options <c>verify</c> and
+ <c>depth</c> has been added.</p>
+ <p>(** POTENTIAL INCOMPATIBILITY **)</p>
+ <p>OwnId: OTP-3145</p>
+ </item>
+ </list>
+ </section>
+
+ <section>
+ <title>Known Bugs and Problems</title>
+ <list type="bulleted">
+ <item>
+ <p>Setting of a CA certificate file with the <c>cacertfile</c>
+ option (in calls to <c>ssl:accept/1/2</c> or
+ <c>ssl:connect/3/4</c>) does not work due to weaknesses
+ in the SSLeay package. </p>
+ <p>A work-around is to set the OS environment variable
+ <c>SSL_CERT_FILE</c> before SSL is started. However, then
+ the CA certificate file will be global for all connections.</p>
+ <p>OwnId: OTP-3146</p>
+ </item>
+ <item>
+ <p>When changing controlling process of an SSL socket, a
+ temporary process is started, which is not gen_server
+ compliant.</p>
+ <p>OwnId: OTP-3146</p>
+ </item>
+ <item>
+ <p>Although there is a <c>cache</c> timeout option, it is
+ silently ignored.</p>
+ <p>OwnId: OTP-3146</p>
+ </item>
+ <item>
+ <p>There is currently no way to restrict the cipher sizes.</p>
+ <p>OwnId: OTP-3146</p>
+ </item>
+ </list>
+ </section>
+ </section>
+
+ <section>
+ <title>SSL 2.0</title>
+ <p>A complete new version of SSL with separate I/O channels
+ for all connections with non-blocking I/O multiplexing.</p>
+ </section>
+</chapter>
+
+