diff options
Diffstat (limited to 'lib/ssl/doc/src')
-rw-r--r-- | lib/ssl/doc/src/notes.xml | 42 | ||||
-rw-r--r-- | lib/ssl/doc/src/ssl.xml | 48 |
2 files changed, 70 insertions, 20 deletions
diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml index 5f9e436348..756c0d1b1f 100644 --- a/lib/ssl/doc/src/notes.xml +++ b/lib/ssl/doc/src/notes.xml @@ -31,7 +31,47 @@ <p>This document describes the changes made to the SSL application. </p> - <section><title>SSL 4.0.1</title> + <section><title>SSL 4.1</title> + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + Updated ssl to ignore CA certs that violate the asn1-spec + for a certificate, and updated public key asn1 spec to + handle inherited DSS-params.</p> + <p> + Own Id: OTP-7884</p> + </item> + <item> + <p> + Changed ssl implementation to retain backwards + compatibility for old option {verify, 0} that shall be + equivalent to {verify, verify_none}, also separate the + cases unknown ca and selfsigned peer cert, and restored + return value of deprecated function + public_key:pem_to_der/1.</p> + <p> + Own Id: OTP-8858</p> + </item> + <item> + <p> + Changed the verify fun so that it differentiate between + the peer certificate and CA certificates by using + valid_peer or valid as the second argument to the verify + fun. It may not always be trivial or even possible to + know when the peer certificate is reached otherwise.</p> + <p> + *** POTENTIAL INCOMPATIBILITY ***</p> + <p> + Own Id: OTP-8873</p> + </item> + </list> + </section> + +</section> + +<section><title>SSL 4.0.1</title> <section><title>Fixed Bugs and Malfunctions</title> <list> diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index d5b7253ef3..ec272379bb 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -114,7 +114,7 @@ <p><c>ciphersuite() = {key_exchange(), cipher(), hash()}</c></p> - <p><c>key_exchange() = rsa | dhe_dss | dhe_rsa + <p><c>key_exchange() = rsa | dhe_dss | dhe_rsa | dh_anon </c></p> <p><c>cipher() = rc4_128 | des_cbc | '3des_ede_cbc' @@ -170,8 +170,13 @@ <tag>{ciphers, ciphers()}</tag> <item>The cipher suites that should be supported. The function - <c>ciphers_suites/0</c> can be used to find all available - ciphers. + <c>cipher_suites/0</c> can be used to find all available + ciphers. Additionally some anonymous cipher suites ({dh_anon, + rc4_128, md5}, {dh_anon, des_cbc, sha}, {dh_anon, + '3des_ede_cbc', sha}, {dh_anon, aes_128_cbc, sha}, {dh_anon, + aes_256_cbc, sha}) are supported for testing purposes and will + only work if explicitly enabled by this option and they are supported/enabled + by the peer also. </item> <tag>{ssl_imp, ssl_imp()}</tag> @@ -202,10 +207,10 @@ <p>The verification fun should be defined as:</p> <code> -fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} | +fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} | {extension, #'Extension'{}}, InitialUserState :: term()) -> - {valid, UserState :: term()} | {fail, Reason :: term()} | - {unknown, UserState :: term()}. + {valid, UserState :: term()} | {valid_peer, UserState :: term()} | + {fail, Reason :: term()} | {unknown, UserState :: term()}. </code> <p>The verify fun will be called during the X509-path @@ -213,10 +218,12 @@ fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} | application is encountered. Additionally it will be called when a certificate is considered valid by the path validation to allow access to each certificate in the path to the user - application. - See - <seealso marker="public_key:application">public_key(3)</seealso> - for definition of #'OtpCertificate'{} and #'Extension'{}.</p> + application. Note that the it will differentiate between the + peer certificate and CA certificates by using valid_peer or + valid as the second argument to the verify fun. See <seealso + marker="public_key:cert_records">the public_key User's + Guide</seealso> for definition of #'OTPCertificate'{} and + #'Extension'{}.</p> <p>If the verify callback fun returns {fail, Reason}, the verification process is immediately stopped and an alert is @@ -237,21 +244,23 @@ fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} | (_,{extension, _}, UserState) -> {unknown, UserState}; (_, valid, UserState) -> - {valid, UserState} + {valid, UserState}; + (_, valid_peer, UserState) -> + {valid, UserState} end, []} </code> <p>The default verify_fun option in verify_none mode:</p> <code> -{fun(_,{bad_cert, unknown_ca}, UserState) -> +{fun(_,{bad_cert, _}, UserState) -> {valid, UserState}; - (_,{bad_cert, _} = Reason, _) -> - {fail, Reason}; (_,{extension, _}, UserState) -> {unknown, UserState}; (_, valid, UserState) -> - {valid, UserState} + {valid, UserState}; + (_, valid_peer, UserState) -> + {valid, UserState} end, []} </code> @@ -267,13 +276,14 @@ fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} | <section> <title>SSL OPTION DESCRIPTIONS - CLIENT SIDE</title> - <p>Option described here are client specific or has a slightly different + <p>Options described here are client specific or has a slightly different meaning in the client than in the server.</p> <taglist> <tag>{verify, verify_type()}</tag> - <item> In verify_none mode the x509-path validation error {bad_cert, unknown_ca} - will automatically be accepted. See also the verify_fun option. + <item> In verify_none mode the default behavior will be to + allow all x509-path validation errors. See also the verify_fun + option. </item> <tag>{reuse_sessions, boolean()}</tag> <item>Specifies if client should try to reuse sessions @@ -286,7 +296,7 @@ fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} | <section> <title>SSL OPTION DESCRIPTIONS - SERVER SIDE</title> - <p>Option described here are server specific or has a slightly different + <p>Options described here are server specific or has a slightly different meaning in the server than in the client.</p> <taglist> |