diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/ssl/doc/src/notes.xml | 26 | ||||
-rw-r--r-- | lib/ssl/src/ssl.appup.src | 2 | ||||
-rw-r--r-- | lib/ssl/src/ssl_ssl3.erl | 2 | ||||
-rw-r--r-- | lib/ssl/test/ssl_test_lib.erl | 38 | ||||
-rw-r--r-- | lib/ssl/test/ssl_to_openssl_SUITE.erl | 63 | ||||
-rw-r--r-- | lib/ssl/vsn.mk | 1 |
6 files changed, 95 insertions, 37 deletions
diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml index 8028e94484..f213bd11ae 100644 --- a/lib/ssl/doc/src/notes.xml +++ b/lib/ssl/doc/src/notes.xml @@ -32,22 +32,23 @@ </p> <section><title>SSL 3.11.1</title> - + <section><title>Fixed Bugs and Malfunctions</title> - <list> - <item> + <list> + <item> <p> Fixed handling of several ssl/tls packets arriving at the - same time. This was broken during a refactoring of the + same time. This was broken during a refactoring of the code.</p> - <p> - Own Id: OTP-8679</p> - </item> + <p> + Own Id: OTP-8679</p> + </item> </list> </section> + <section><title>Improvements and New Features</title> - <list> + <list> <item> <p> Added missing checks for padding and Mac value. Removed @@ -75,13 +76,6 @@ </item> <item> <p> - New ssl now support client/server-certificates signed by - dsa keys.</p> - <p> - Own Id: OTP-8587</p> - </item> - <item> - <p> Alert handling has been improved to better handle unexpected but valid messages and the implementation is also changed to avoid timing related issues that could @@ -94,7 +88,7 @@ </item> </list> </section> - + </section> <section><title>SSL 3.11</title> diff --git a/lib/ssl/src/ssl.appup.src b/lib/ssl/src/ssl.appup.src index e8ae6846aa..52a41617bb 100644 --- a/lib/ssl/src/ssl.appup.src +++ b/lib/ssl/src/ssl.appup.src @@ -1,6 +1,7 @@ %% -*- erlang -*- {"%VSN%", [ + {"3.11", [{restart_application, ssl}]}, {"3.10", [{restart_application, ssl}]}, {"3.10.1", [{restart_application, ssl}]}, {"3.10.2", [{restart_application, ssl}]}, @@ -13,6 +14,7 @@ {"3.10.9", [{restart_application, ssl}]} ], [ + {"3.11", [{restart_application, ssl}]}, {"3.10", [{restart_application, ssl}]}, {"3.10.1", [{restart_application, ssl}]}, {"3.10.2", [{restart_application, ssl}]}, diff --git a/lib/ssl/src/ssl_ssl3.erl b/lib/ssl/src/ssl_ssl3.erl index 1cecd10e81..400298a322 100644 --- a/lib/ssl/src/ssl_ssl3.erl +++ b/lib/ssl/src/ssl_ssl3.erl @@ -147,7 +147,7 @@ suites() -> ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA, ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA, ?TLS_RSA_WITH_AES_128_CBC_SHA, - %% ?TLS_RSA_WITH_IDEA_CBC_SHA, + ?TLS_RSA_WITH_IDEA_CBC_SHA, ?TLS_RSA_WITH_RC4_128_SHA, ?TLS_RSA_WITH_RC4_128_MD5, ?TLS_RSA_WITH_DES_CBC_SHA diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl index d11acc8130..40715dbf30 100644 --- a/lib/ssl/test/ssl_test_lib.erl +++ b/lib/ssl/test/ssl_test_lib.erl @@ -319,24 +319,34 @@ cert_options(Config) -> make_dsa_cert(Config) -> - ServerCaInfo = {ServerCaCert, _} = erl_make_certs:make_cert([{key, dsa}]), - {ServerCert, ServerCertKey} = erl_make_certs:make_cert([{key, dsa}, {issuer, ServerCaInfo}]), - ServerCaCertFile = filename:join([?config(priv_dir, Config), - "server", "dsa_cacerts.pem"]), - ServerCertFile = filename:join([?config(priv_dir, Config), - "server", "dsa_cert.pem"]), - ServerKeyFile = filename:join([?config(priv_dir, Config), - "server", "dsa_key.pem"]), - - public_key:der_to_pem(ServerCaCertFile, [{cert, ServerCaCert, not_encrypted}]), - public_key:der_to_pem(ServerCertFile, [{cert, ServerCert, not_encrypted}]), - public_key:der_to_pem(ServerKeyFile, [ServerCertKey]), - + + {ServerCaCertFile, ServerCertFile, ServerKeyFile} = make_dsa_cert_files("server", Config), + {ClientCaCertFile, ClientCertFile, ClientKeyFile} = make_dsa_cert_files("client", Config), [{server_dsa_opts, [{ssl_imp, new},{reuseaddr, true}, {cacertfile, ServerCaCertFile}, - {certfile, ServerCertFile}, {keyfile, ServerKeyFile}]} | Config]. + {certfile, ServerCertFile}, {keyfile, ServerKeyFile}]}, + {client_dsa_opts, [{ssl_imp, new},{reuseaddr, true}, + {cacertfile, ClientCaCertFile}, + {certfile, ClientCertFile}, {keyfile, ClientKeyFile}]} + | Config]. + + +make_dsa_cert_files(RoleStr, Config) -> + CaInfo = {CaCert, _} = erl_make_certs:make_cert([{key, dsa}]), + {Cert, CertKey} = erl_make_certs:make_cert([{key, dsa}, {issuer, CaInfo}]), + CaCertFile = filename:join([?config(priv_dir, Config), + RoleStr, "dsa_cacerts.pem"]), + CertFile = filename:join([?config(priv_dir, Config), + RoleStr, "dsa_cert.pem"]), + KeyFile = filename:join([?config(priv_dir, Config), + RoleStr, "dsa_key.pem"]), + public_key:der_to_pem(CaCertFile, [{cert, CaCert, not_encrypted}]), + public_key:der_to_pem(CertFile, [{cert, Cert, not_encrypted}]), + public_key:der_to_pem(KeyFile, [CertKey]), + {CaCertFile, CertFile, KeyFile}. + start_upgrade_server(Args) -> Result = spawn_link(?MODULE, run_upgrade_server, [Args]), receive diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl index e4c77b2fb4..4981ac0424 100644 --- a/lib/ssl/test/ssl_to_openssl_SUITE.erl +++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl @@ -143,7 +143,9 @@ all(doc) -> all(suite) -> [erlang_client_openssl_server, erlang_server_openssl_client, - erlang_server_openssl_client_dsa_cert, + %% Comment out when new crypto sign functions is available + %%erlang_client_openssl_server_dsa_cert, + %%erlang_server_openssl_client_dsa_cert, erlang_server_openssl_client_reuse_session, erlang_client_openssl_server_renegotiate, erlang_client_openssl_server_no_wrap_sequence_number, @@ -250,18 +252,70 @@ erlang_server_openssl_client(Config) when is_list(Config) -> %%-------------------------------------------------------------------- +erlang_client_openssl_server_dsa_cert(doc) -> + ["Test erlang server with openssl client"]; +erlang_client_openssl_server_dsa_cert(suite) -> + []; +erlang_client_openssl_server_dsa_cert(Config) when is_list(Config) -> + process_flag(trap_exit, true), + ClientOpts = ?config(client_dsa_opts, Config), + ServerOpts = ?config(server_dsa_opts, Config), + + {ClientNode, _, Hostname} = ssl_test_lib:run_where(Config), + + Data = "From openssl to erlang", + + Port = ssl_test_lib:inet_port(node()), + CaCertFile = proplists:get_value(cacertfile, ServerOpts), + CertFile = proplists:get_value(certfile, ServerOpts), + KeyFile = proplists:get_value(keyfile, ServerOpts), + + Cmd = "openssl s_server -accept " ++ integer_to_list(Port) ++ + " -cert " ++ CertFile ++ " -CAfile " ++ CaCertFile + ++ " -key " ++ KeyFile ++ " -Verify 2 -tls1 -msg", + + test_server:format("openssl cmd: ~p~n", [Cmd]), + + OpensslPort = open_port({spawn, Cmd}, [stderr_to_stdout]), + + wait_for_openssl_server(), + + Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, + {host, Hostname}, + {from, self()}, + {mfa, {?MODULE, + erlang_ssl_receive, [Data]}}, + {options, ClientOpts}]), + + port_command(OpensslPort, Data), + + ssl_test_lib:check_result(Client, ok), + + %% Clean close down! Server needs to be closed first !! + close_port(OpensslPort), + + ssl_test_lib:close(Client), + process_flag(trap_exit, false), + ok. + +%%-------------------------------------------------------------------- + erlang_server_openssl_client_dsa_cert(doc) -> ["Test erlang server with openssl client"]; erlang_server_openssl_client_dsa_cert(suite) -> []; erlang_server_openssl_client_dsa_cert(Config) when is_list(Config) -> process_flag(trap_exit, true), + ClientOpts = ?config(client_dsa_opts, Config), ServerOpts = ?config(server_dsa_opts, Config), {_, ServerNode, _} = ssl_test_lib:run_where(Config), Data = "From openssl to erlang", - + CaCertFile = proplists:get_value(cacertfile, ClientOpts), + CertFile = proplists:get_value(certfile, ClientOpts), + KeyFile = proplists:get_value(keyfile, ClientOpts), + Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, {from, self()}, {mfa, {?MODULE, erlang_ssl_receive, [Data]}}, @@ -269,7 +323,8 @@ erlang_server_openssl_client_dsa_cert(Config) when is_list(Config) -> Port = ssl_test_lib:inet_port(Server), Cmd = "openssl s_client -port " ++ integer_to_list(Port) ++ - " -host localhost -tls1 -msg", + " -host localhost " ++ " -cert " ++ CertFile ++ " -CAfile " ++ CaCertFile + ++ " -key " ++ KeyFile ++ " -tls1 -msg", test_server:format("openssl cmd: ~p~n", [Cmd]), @@ -283,8 +338,6 @@ erlang_server_openssl_client_dsa_cert(Config) when is_list(Config) -> close_port(OpenSslPort), process_flag(trap_exit, false), ok. - - %%-------------------------------------------------------------------- erlang_server_openssl_client_reuse_session(doc) -> diff --git a/lib/ssl/vsn.mk b/lib/ssl/vsn.mk index 5d8be1cd0b..813ce91e32 100644 --- a/lib/ssl/vsn.mk +++ b/lib/ssl/vsn.mk @@ -23,7 +23,6 @@ TICKETS = OTP-8679 \ OTP-7047 \ OTP-7049 \ OTP-8568 \ - OTP-8587 \ OTP-8588 #TICKETS_3.11 = OTP-8517 \ |