diff options
Diffstat (limited to 'lib/ssl')
-rw-r--r-- | lib/ssl/doc/src/notes.xml | 84 | ||||
-rw-r--r-- | lib/ssl/src/ssl.appup.src | 4 | ||||
-rw-r--r-- | lib/ssl/src/ssl.erl | 4 | ||||
-rw-r--r-- | lib/ssl/src/ssl_connection.erl | 18 | ||||
-rw-r--r-- | lib/ssl/src/ssl_manager.erl | 30 |
5 files changed, 73 insertions, 67 deletions
diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml index 52ee9c086a..b2d17925fd 100644 --- a/lib/ssl/doc/src/notes.xml +++ b/lib/ssl/doc/src/notes.xml @@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="latin1" ?> +<?xml version="1.0" encoding="iso-8859-1" ?> <!DOCTYPE chapter SYSTEM "chapter.dtd"> <chapter> @@ -28,59 +28,47 @@ <rev>G</rev> <file>notes.xml</file> </header> - <p>This document describes the changes made to the SSL application. - </p> - - <section><title>SSL 4.1.4</title> - + <p>This document describes the changes made to the SSL application.</p> + + <section> + <title>SSL 4.1.5</title> + <section><title>Improvements and New Features</title> - <list> - <item> - <p> - Reduced memory footprint of an ssl connection.</p> - <p> - Handshake hashes, premaster secret and "public_key_info" - does not need to be saved when the connection has been - established. The own certificate is no longer duplicated - in the state.</p> - <p> - Own Id: OTP-9021</p> - </item> - <item> - <p> - Add the option {hibernate_after, int()} to ssl:connect - and ssl:listen</p> - <p> - Own Id: OTP-9106</p> - </item> - </list> + <list> + <item> + <p>Calling gen_tcp:connect with option {ip, {127,0,0,1}} results in + an exit with reason badarg. Neither SSL nor INETS This was not + catched, resulting in crashes with incomprehensible reasons.</p> + <p>Own Id: OTP-9289 Aux Id: seq11845</p> + </item> + </list> </section> - -</section> - -<section><title>SSL 4.1.3</title> - + + </section> + + <section> + <title>SSL 4.1.3</title> + <section><title>Fixed Bugs and Malfunctions</title> - <list> - <item> - <p> - Fixed error in cache-handling fix from ssl-4.1.2</p> - <p> - Own Id: OTP-9018 Aux Id: seq11739 </p> - </item> - <item> - <p> - Verification of a critical extended_key_usage-extension - corrected</p> - <p> - Own Id: OTP-9029 Aux Id: seq11541 </p> - </item> - </list> + <list> + <item> + <p> + Fixed error in cache-handling fix from ssl-4.1.2</p> + <p> + Own Id: OTP-9018 Aux Id: seq11739 </p> + </item> + <item> + <p>Verification of a critical extended_key_usage-extension + corrected</p> + <p>Own Id: OTP-9029 Aux Id: seq11541 </p> + </item> + </list> </section> -</section> + </section> -<section><title>SSL 4.1.2</title> + <section> + <title>SSL 4.1.2</title> <section><title>Fixed Bugs and Malfunctions</title> <list> diff --git a/lib/ssl/src/ssl.appup.src b/lib/ssl/src/ssl.appup.src index a0ecb4ac6f..cf8867245b 100644 --- a/lib/ssl/src/ssl.appup.src +++ b/lib/ssl/src/ssl.appup.src @@ -5,7 +5,7 @@ {"4.1.3", [{restart_application, ssl}]}, {"4.1.2", [{restart_application, ssl}]}, {"4.1.1", [{restart_application, ssl}]}, - {"4.1", [{restart_application, ssl}]}, + {"4.1", [{restart_application, ssl}]}, {"4.0.1", [{restart_application, ssl}]} ], [ @@ -13,7 +13,7 @@ {"4.1.3", [{restart_application, ssl}]}, {"4.1.2", [{restart_application, ssl}]}, {"4.1.1", [{restart_application, ssl}]}, - {"4.1", [{restart_application, ssl}]}, + {"4.1", [{restart_application, ssl}]}, {"4.0.1", [{restart_application, ssl}]} ]}. diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index 380c59b058..0ced6707eb 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -611,8 +611,10 @@ do_new_connect(Address, Port, catch exit:{function_clause, _} -> {error, {eoptions, {cb_info, CbInfo}}}; + exit:badarg -> + {error, {eoptions, {inet_options, UserOpts}}}; exit:{badarg, _} -> - {error,{eoptions, {inet_options, UserOpts}}} + {error, {eoptions, {inet_options, UserOpts}}} end. old_connect(Address, Port, Options, Timeout) -> diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl index 0a86e9bd29..2c452837f8 100644 --- a/lib/ssl/src/ssl_connection.erl +++ b/lib/ssl/src/ssl_connection.erl @@ -941,17 +941,23 @@ handle_info({Protocol, _, Data}, StateName, handle_info({CloseTag, Socket}, _StateName, #state{socket = Socket, close_tag = CloseTag, - negotiated_version = Version, host = Host, - port = Port, socket_options = Opts, + negotiated_version = Version, + socket_options = Opts, user_application = {_Mon,Pid}, from = From, - role = Role, session = Session} = State) -> - %% Debug option maybe, the user do NOT want to see these in their logs - %% error_logger:info_report("SSL: Peer did not send close notify alert."), + role = Role} = State) -> + %% Note that as of TLS 1.1, + %% failure to properly close a connection no longer requires that a + %% session not be resumed. This is a change from TLS 1.0 to conform + %% with widespread implementation practice. case Version of {1, N} when N >= 1 -> ok; _ -> - invalidate_session(Role, Host, Port, Session) + %% As invalidate_sessions here causes performance issues, + %% we will conform to the widespread implementation + %% practice and go aginst the spec + %%invalidate_session(Role, Host, Port, Session) + ok end, alert_user(Opts#socket_options.active, Pid, From, ?ALERT_REC(?WARNING, ?CLOSE_NOTIFY), Role), diff --git a/lib/ssl/src/ssl_manager.erl b/lib/ssl/src/ssl_manager.erl index f845b1ecc0..5a2d0c9496 100644 --- a/lib/ssl/src/ssl_manager.erl +++ b/lib/ssl/src/ssl_manager.erl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2007-2010. All Rights Reserved. +%% Copyright Ericsson AB 2007-2011. All Rights Reserved. %% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in @@ -57,6 +57,7 @@ -define('24H_in_sec', 8640). -define(SESSION_VALIDATION_INTERVAL, 60000). -define(CERTIFICATE_CACHE_CLEANUP, 30000). +-define(CLEAN_SESSION_DB, 60000). %%==================================================================== %% API @@ -70,7 +71,8 @@ start_link(Opts) -> gen_server:start_link({local, ?MODULE}, ?MODULE, [Opts], []). %%-------------------------------------------------------------------- --spec connection_init(string()| {der, list()}, client | server) -> {ok, reference(), cache_ref()}. +-spec connection_init(string()| {der, list()}, client | server) -> + {ok, reference(), cache_ref()}. %% %% Description: Do necessary initializations for a new connection. %%-------------------------------------------------------------------- @@ -101,7 +103,9 @@ lookup_trusted_cert(Ref, SerialNumber, Issuer) -> ssl_certificate_db:lookup_trusted_cert(Ref, SerialNumber, Issuer). %%-------------------------------------------------------------------- -spec issuer_candidate(cert_key() | no_candidate) -> - {cert_key(), {der_cert(), #'OTPCertificate'{}}} | no_more_candidates. + {cert_key(), + {der_cert(), + #'OTPCertificate'{}}} | no_more_candidates. %% %% Description: Return next issuer candidate. %%-------------------------------------------------------------------- @@ -117,7 +121,8 @@ client_session_id(Host, Port, SslOpts, OwnCert) -> call({client_session_id, Host, Port, SslOpts, OwnCert}). %%-------------------------------------------------------------------- --spec server_session_id(host(), port_num(), #ssl_options{}, der_cert()) -> session_id(). +-spec server_session_id(host(), port_num(), #ssl_options{}, + der_cert()) -> session_id(). %% %% Description: Select a session id for the server. %%-------------------------------------------------------------------- @@ -139,7 +144,9 @@ register_session(Port, Session) -> -spec invalidate_session(port_num(), #session{}) -> ok. -spec invalidate_session(host(), port_num(), #session{}) -> ok. %% -%% Description: Make the session unavilable for reuse. +%% Description: Make the session unavailable for reuse. After +%% a the session has been marked "is_resumable = false" for some while +%% it will be safe to remove the data from the session database. %%-------------------------------------------------------------------- invalidate_session(Host, Port, Session) -> cast({invalidate_session, Host, Port, Session}). @@ -259,23 +266,26 @@ handle_cast({register_session, Port, Session}, {noreply, State}; handle_cast({invalidate_session, Host, Port, - #session{session_id = ID}}, + #session{session_id = ID} = Session}, #state{session_cache = Cache, session_cache_cb = CacheCb} = State) -> - CacheCb:delete(Cache, {{Host, Port}, ID}), + CacheCb:update(Cache, {{Host, Port}, ID}, Session#session{is_resumable = false}), + timer:apply_after(?CLEAN_SESSION_DB, CacheCb, delete, {{Host, Port}, ID}), {noreply, State}; -handle_cast({invalidate_session, Port, #session{session_id = ID}}, +handle_cast({invalidate_session, Port, #session{session_id = ID} = Session}, #state{session_cache = Cache, session_cache_cb = CacheCb} = State) -> - CacheCb:delete(Cache, {Port, ID}), + CacheCb:update(Cache, {Port, ID}, Session#session{is_resumable = false}), + timer:apply_after(?CLEAN_SESSION_DB, CacheCb, delete, {Port, ID}), {noreply, State}; handle_cast({recache_pem, File, LastWrite, Pid, From}, #state{certificate_db = [_, FileToRefDb, _]} = State0) -> case ssl_certificate_db:lookup(File, FileToRefDb) of undefined -> - {reply, Msg, State} = handle_call({{cache_pem, File, LastWrite}, Pid}, From, State0), + {reply, Msg, State} = + handle_call({{cache_pem, File, LastWrite}, Pid}, From, State0), gen_server:reply(From, Msg), {noreply, State}; _ -> %% Send message to self letting cleanup messages be handled |