diff options
Diffstat (limited to 'lib/ssl/doc/src/notes.xml')
| -rw-r--r-- | lib/ssl/doc/src/notes.xml | 653 |
1 files changed, 647 insertions, 6 deletions
diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml index 8875d07535..759a3b3fce 100644 --- a/lib/ssl/doc/src/notes.xml +++ b/lib/ssl/doc/src/notes.xml @@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="iso-8859-1" ?> +<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE chapter SYSTEM "chapter.dtd"> <chapter> @@ -25,8 +25,639 @@ <file>notes.xml</file> </header> <p>This document describes the changes made to the SSL application.</p> - - <section><title>SSL 5.3</title> + <section><title>SSL 6.0.1.2</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Hibernation with small or a zero timeout will now work as + expected</p> + <p> + Own Id: OTP-13189</p> + </item> + </list> + </section> + +</section> + +<section><title>SSL 6.0.1.1</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Gracefully ignore proprietary hash_sign algorithms</p> + <p> + Own Id: OTP-13151</p> + </item> + </list> + </section> + +</section> + +<section><title>SSL 6.0.1</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Terminate gracefully when receving bad input to premaster + secret calculation</p> + <p> + Own Id: OTP-12783</p> + </item> + </list> + </section> + +</section> + +<section><title>SSL 6.0</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Exclude self-signed trusted anchor certificates from + certificate prospective certification path according to + RFC 3280.</p> + <p> + This will avoid some unnecessary certificate processing.</p> + <p> + Own Id: OTP-12449</p> + </item> + </list> + </section> + + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + Separate client and server session cache internally.</p> + <p> + Avoid session table growth when client starts many + connections in such a manner that many connections are + started before session reuse is possible. Only save a new + session in client if there is no equivalent session + already stored.</p> + <p> + Own Id: OTP-11365</p> + </item> + <item> + <p> + The PEM cache is now validated by a background process, + instead of always keeping it if it is small enough and + clearing it otherwise. That strategy required that small + caches where cleared by API function if a file changes on + disk.</p> + <p> + However export the API function to clear the cache as it + may still be useful.</p> + <p> + Own Id: OTP-12391</p> + </item> + <item> + <p> + Add padding check for TLS-1.0 to remove Poodle + vulnerability from TLS 1.0, also add the option + padding_check. This option only affects TLS-1.0 + connections and if set to false it disables the block + cipher padding check to be able to interoperate with + legacy software.</p> + <p> + *** POTENTIAL INCOMPATIBILITY ***</p> + <p> + Own Id: OTP-12420</p> + </item> + <item> + <p> + Add support for TLS_FALLBACK_SCSV used to prevent + undesired TLS version downgrades. If used by a client + that is vulnerable to the POODLE attack, and the server + also supports TLS_FALLBACK_SCSV, the attack can be + prevented.</p> + <p> + Own Id: OTP-12458</p> + </item> + </list> + </section> + +</section> + +<section><title>SSL 5.3.8</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Make sure the clean rule for ssh, ssl, eunit and otp_mibs + actually removes generated files.</p> + <p> + Own Id: OTP-12200</p> + </item> + </list> + </section> + + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + Change code to reflect that state data may be secret to + avoid breaking dialyzer contracts.</p> + <p> + Own Id: OTP-12341</p> + </item> + </list> + </section> + +</section> + +<section><title>SSL 5.3.7</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Handle the fact that servers may send an empty SNI + extension to the client.</p> + <p> + Own Id: OTP-12198</p> + </item> + </list> + </section> + +</section> + +<section><title>SSL 5.3.6</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Corrected handling of ECC certificates, there where + several small issues with the handling of such + certificates in the ssl and public_key application. Now + ECC signed ECC certificates shall work and not only RSA + signed ECC certificates.</p> + <p> + Own Id: OTP-12026</p> + </item> + <item> + <p> + Check that the certificate chain ends with a trusted ROOT + CA e.i. a self-signed certificate, but provide an option + partial_chain to enable the application to define an + intermediat CA as trusted.</p> + <p> + Own Id: OTP-12149</p> + </item> + </list> + </section> + + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + Add decode functions for SNI (Server Name Indication)</p> + <p> + Own Id: OTP-12048</p> + </item> + </list> + </section> + +</section> + +<section><title>SSL 5.3.5</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + ssl:recv now returns {error, einval} if applied to a non + passive socket, the same as gen_tcp:recv. </p> + <p> + Thanks to Danil Zagoskin for reporting this issue</p> + <p> + Own Id: OTP-11878</p> + </item> + <item> + <p> + Corrected handling of default values for + signature_algorithms extension in TLS-1.2 and + corresponding values used in previous versions that does + not support this extension. </p> + <p> + Thanks to Danil Zagoskin</p> + <p> + Own Id: OTP-11886</p> + </item> + <item> + <p> + Handle socket option inheritance when pooling of accept + sockets is used</p> + <p> + Own Id: OTP-11897</p> + </item> + <item> + <p> + Make sure that the list of versions, possibly supplied in + the versions option, is not order dependent.</p> + <p> + Thanks to Ransom Richardson for reporting this issue</p> + <p> + Own Id: OTP-11912</p> + </item> + <item> + <p> + Reject connection if the next_protocol message is sent + twice.</p> + <p> + Own Id: OTP-11926</p> + </item> + <item> + <p> + Correct options handling when ssl:ssl_accept/3 is called + with new ssl options after calling ssl:listen/2</p> + <p> + Own Id: OTP-11950</p> + </item> + </list> + </section> + + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + Gracefully handle unknown alerts</p> + <p> + Thanks to Atul Atri for reporting this issue</p> + <p> + Own Id: OTP-11874</p> + </item> + <item> + <p> + Gracefully ignore cipher suites sent by client not + supported by the SSL/TLS version that the client has + negotiated.</p> + <p> + Thanks to Danil Zagoskin for reporting this issue</p> + <p> + Own Id: OTP-11875</p> + </item> + <item> + <p> + Gracefully handle structured garbage, i.e a client sends + some garbage in a ssl record instead of a valid fragment.</p> + <p> + Thanks to Danil Zagoskin</p> + <p> + Own Id: OTP-11880</p> + </item> + <item> + <p> + Gracefully handle invalid alerts</p> + <p> + Own Id: OTP-11890</p> + </item> + <item> + <p> + Generalize handling of default ciphers</p> + <p> + Thanks to Andreas Schultz</p> + <p> + Own Id: OTP-11966</p> + </item> + <item> + <p> + Make sure change cipher spec is correctly handled</p> + <p> + Own Id: OTP-11975</p> + </item> + </list> + </section> + +</section> + +<section><title>SSL 5.3.4</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Fix incorrect dialyzer spec and types, also enhance + documentation. </p> + <p> + Thanks to Ayaz Tuncer.</p> + <p> + Own Id: OTP-11627</p> + </item> + <item> + <p> + Fix possible mismatch between SSL/TLS version and default + ciphers. Could happen when you specified SSL/TLS-version + in optionlist to listen or accept.</p> + <p> + Own Id: OTP-11712</p> + </item> + <item> + <p> + Application upgrade (appup) files are corrected for the + following applications: </p> + <p> + <c>asn1, common_test, compiler, crypto, debugger, + dialyzer, edoc, eldap, erl_docgen, et, eunit, gs, hipe, + inets, observer, odbc, os_mon, otp_mibs, parsetools, + percept, public_key, reltool, runtime_tools, ssh, + syntax_tools, test_server, tools, typer, webtool, wx, + xmerl</c></p> + <p> + A new test utility for testing appup files is added to + test_server. This is now used by most applications in + OTP.</p> + <p> + (Thanks to Tobias Schlager)</p> + <p> + Own Id: OTP-11744</p> + </item> + </list> + </section> + + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + Moved elliptic curve definition from the crypto + NIF/OpenSSL into Erlang code, adds the RFC-5639 brainpool + curves and makes TLS use them (RFC-7027).</p> + <p> + Thanks to Andreas Schultz</p> + <p> + Own Id: OTP-11578</p> + </item> + <item> + <p> + Unicode adaptations</p> + <p> + Own Id: OTP-11620</p> + </item> + <item> + <p> + Added option honor_cipher_order. This instructs the + server to prefer its own cipher ordering rather than the + client's and can help protect against things like BEAST + while maintaining compatability with clients which only + support older ciphers. </p> + <p> + Thanks to Andrew Thompson for the implementation, and + Andreas Schultz for the test cases.</p> + <p> + Own Id: OTP-11621</p> + </item> + <item> + <p> + Replace boolean checking in validate_option with + is_boolean guard. </p> + <p> + Thanks to Andreas Schultz.</p> + <p> + Own Id: OTP-11634</p> + </item> + <item> + <p> + Some function specs are corrected or moved and some edoc + comments are corrected in order to allow use of edoc. + (Thanks to Pierre Fenoll)</p> + <p> + Own Id: OTP-11702</p> + </item> + <item> + <p> + Correct clean up of certificate database when certs are + inputed in pure DER format.The incorrect code could cause + a memory leek when certs where inputed in DER. Thanks to + Bernard Duggan for reporting this.</p> + <p> + Own Id: OTP-11733</p> + </item> + <item> + <p> + Improved documentation of the cacertfile option</p> + <p> + Own Id: OTP-11759 Aux Id: seq12535 </p> + </item> + <item> + <p> + Avoid next protocol negotiation failure due to incorrect + option format.</p> + <p> + Own Id: OTP-11760</p> + </item> + <item> + <p> + Handle v1 CRLs, with no extensions and fixes issues with + IDP (Issuing Distribution Point) comparison during CRL + validation. </p> + <p> + Thanks to Andrew Thompson</p> + <p> + Own Id: OTP-11761</p> + </item> + <item> + <p> + Server now ignores client ECC curves that it does not + support instead of crashing. </p> + <p> + Thanks to Danil Zagoskin for reporting the issue and + suggesting a solution.</p> + <p> + Own Id: OTP-11780</p> + </item> + <item> + <p> + Handle SNI (Server Name Indication) alert + unrecognized_name and gracefully deal with unexpected + alerts. </p> + <p> + Thanks to Masatake Daimon for reporting this.</p> + <p> + Own Id: OTP-11815</p> + </item> + <item> + <p> + Add possibility to specify ssl options when calling + ssl:ssl_accept</p> + <p> + Own Id: OTP-11837</p> + </item> + </list> + </section> + +</section> + +<section><title>SSL 5.3.3</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Add missing validation of the server_name_indication + option and test for its explicit use. It was not possible + to set or disable the default server_name_indication as + the validation of the option was missing.</p> + <p> + Own Id: OTP-11567</p> + </item> + <item> + <p> + Elliptic curve selection in server mode now properly + selects a curve suggested by the client, if possible, and + the fallback alternative is changed to a more widely + supported curve.</p> + <p> + Own Id: OTP-11575</p> + </item> + <item> + <p> + Bug in the TLS hello extension handling caused the server + to behave as it did not understand secure renegotiation.</p> + <p> + Own Id: OTP-11595</p> + </item> + </list> + </section> + +</section> + +<section><title>SSL 5.3.2</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Honors the clients advertised support of elliptic curves + and no longer sends incorrect elliptic curve extension in + server hello.</p> + <p> + Own Id: OTP-11370</p> + </item> + <item> + <p> + Fix initialization of DTLS fragment reassembler, in + previously contributed code, for future support of DTLS . + Thanks to Andreas Schultz.</p> + <p> + Own Id: OTP-11376</p> + </item> + <item> + <p> + Corrected type error in client_preferred_next_protocols + documentation. Thanks to Julien Barbot.</p> + <p> + Own Id: OTP-11457</p> + </item> + </list> + </section> + + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + TLS code has been refactored to prepare for future DTLS + support. Also some DTLS code is in place but not yet + runnable, some of it contributed by Andreas Schultz and + some of it written by the OTP team. Thanks to to Andreas + for his participation.</p> + <p> + Own Id: OTP-11292</p> + </item> + <item> + <p> + Remove extraneous dev debug code left in the close + function. Thanks to Ken Key.</p> + <p> + Own Id: OTP-11447</p> + </item> + <item> + <p> + Add SSL Server Name Indication (SNI) client support. + Thanks to Julien Barbot.</p> + <p> + Own Id: OTP-11460</p> + </item> + </list> + </section> + +</section> + +<section><title>SSL 5.3.1</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Setopts during renegotiation caused the renegotiation to + be unsuccessful.</p> + <p> + If calling setopts during a renegotiation the FSM state + might change during the handling of the setopts messages, + this is now handled correctly.</p> + <p> + Own Id: OTP-11228</p> + </item> + <item> + <p> + Now handles signature_algorithm field in digitally_signed + properly with proper defaults. Prior to this change some + elliptic curve cipher suites could fail reporting the + error "bad certificate".</p> + <p> + Own Id: OTP-11229</p> + </item> + <item> + <p> + The code emulating the inet header option was changed in + the belief that it made it inet compatible. However the + testing is a bit hairy as the inet option is actually + broken, now the tests are corrected and the header option + should work in the same broken way as inet again, + preferably use the bitsyntax instead.</p> + <p> + Own Id: OTP-11230</p> + </item> + </list> + </section> + + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + Make the ssl manager name for erlang distribution over + SSL/TLS relative to the module name of the ssl_manager.</p> + <p> + This can be beneficial when making tools that rename + modules for internal processing in the tool.</p> + <p> + Own Id: OTP-11255</p> + </item> + <item> + <p> + Add documentation regarding log_alert option.</p> + <p> + Own Id: OTP-11271</p> + </item> + </list> + </section> + +</section> + +<section><title>SSL 5.3</title> <section><title>Fixed Bugs and Malfunctions</title> <list> @@ -100,7 +731,6 @@ </section> <section><title>SSL 5.2.1</title> - <section><title>Improvements and New Features</title> <list> <item> @@ -126,9 +756,20 @@ </section> </section> - +<section><title>SSL 5.1.2.1</title> +<section><title>Improvements and New Features</title> +<list> + <item> + <p> + Make log_alert configurable as option in ssl, SSLLogLevel + added as option to inets conf file</p> + <p> + Own Id: OTP-11259</p> + </item> +</list> +</section> +</section> <section><title>SSL 5.2</title> - <section><title>Fixed Bugs and Malfunctions</title> <list> <item> |