| Age | Commit message (Collapse) | Author |
|---|
|
The Key Usage extension is described in section 4.2.1.3 of X.509, with the following possible flags:
KeyUsage ::= BIT STRING {
digitalSignature (0),
nonRepudiation (1), -- recent editions of X.509 have
-- renamed this bit to contentCommitment
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8) }
In SSL/TLS, when the server certificate contains a RSA key, then:
either a DHE or ECDHE cipher suite is used, in which case the RSA key
is used for a signature (see section 7.4.3 of RFC 5246: the "Server
Key Exchange" message); this exercises the digitalSignature key usage;
or "plain RSA" is used, with a random value (the 48-byte pre-master
secret) being encrypted by the client with the server's public key
(see section 7.4.7.1 of RFC 5246); this is right in the definition of
the keyEncipherment key usage flag.
dataEncipherment does not apply, because what is encrypted is not
directly meaningful data, but a value which is mostly generated
randomly and used to derive symmetric keys. keyAgreement does not
apply either, because that one is for key agreement algorithms which
are not a case of asymmetric encryption (e.g. Diffie-Hellman). The
keyAgreement usage flag would appear in a certificate which contains a
DH key, not a RSA key. nonRepudiation is not used, because whatever is
signed as part of a SSL/TLS key exchange cannot be used as proof for a
third party (there is nothing in a SSL/TLS tunnel that the client
could record and then use to convince a judge when tring to sue the
server itself; the data which is exchanged within the tunnel is not
signed by the server).
When a ECDSA key is used then "keyAgreement" flag is needed for beeing
ECDH "capable" (as opposed to ephemeral ECDHE)
|
|
* ingela/ssl/testcuddling:
ssl: Exclude DTLS tests for one more OpenSSL version for now
ssl: Use sane input data
ssl: Make sure help function works from all parts of test suite
|
|
* lukas/kernel/logger-docs:
Add xmllint to travis build
kernel: Use formatter in simple logger example
|
|
|
|
* maint:
Updated OTP version
Update release notes
Update version numbers
ssl: Prepare for release
ssl: Proper handling of clients that choose to send an empty answer to a certificate request
heart: Use ntohs instead of manual conversion
|
|
* maint-20:
Updated OTP version
Update release notes
Update version numbers
ssl: Prepare for release
ssl: Proper handling of clients that choose to send an empty answer to a certificate request
heart: Use ntohs instead of manual conversion
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* ingela/ssl/client-has-no-cert/ERL-599/OTP-15050:
ssl: Prepare for release
ssl: Proper handling of clients that choose to send an empty answer to a certificate request
|
|
into maint-20
* john/erts/fix-heart-command-overflow/OTP-15034/ERIERL-166:
heart: Use ntohs instead of manual conversion
# Conflicts:
# lib/kernel/test/heart_SUITE.erl
|
|
Depending on context trap_exit flag may be set or not.
So always set trap_exit and consume the EXIT signal and then set it back.
|
|
This reverts commit a0d7ce6d3613d9e031b674a6ba3dbb474c89b639.
|
|
This reverts commit 202bb737e3deabfebee683266f4b7c42781eb521.
|
|
This reverts commit 345f7f527a4c26ef49cef0d81e2c8b71bf01ebc3.
|
|
|
|
|
|
|
|
|
|
* ingela/ssl/do-not-hardcode-cipher-suites:
ssl: Fix ECDSA key decode clause
ssl: Avoid hardcoding of cipher suites and fix ECDH suite handling
ssl: Run all test case combinations
ssl: Update tests to reflect sslv3 is not supported by default
|
|
|
|
ECDH suite handling did not use the EC parameters form the certs
as expected.
|
|
Fix test case code to use keyAgreement for ECDH_ECDSA
|
|
|
|
* peterdmv/inets/prepare_for_release:
inets: Correct runtime_dependencies before release
Change-Id: I6d5bcfd870c072944df79a2f36ac69d8f88499d0
|
|
Change-Id: Ia53fb6bbf0822608ce9f7afe9b905d3bb1ce0b11
|
|
* sverker/lc-thread-exit-free-fix:
erts: Fix memory leak in lock checker at thread exit
|
|
* rickard/process_info/OTP-14966:
Fix scheduled process_info() 'status' request
Fix handling of process-info requests in receive
|
|
|
|
* ingela/dtls/abbreviated:
dtls: Trigger resend in abbreviated handshake if change_cipher_spec is received to early.
|
|
is received to early.
|
|
|
|
* bjorn/compiler/yreg-init:
beam_validator: Verify Y registers in exception-causing instructions
Correct beam_utils:is_killed/3 (again)
|
|
* lars/crypto/test-suite-problem:
[crypto] Skip test cases for specific ssl version on old machine
|
|
Skip the test cases in the engine_SUITE on a specific ssl version
used on one test machine.
|
|
* lars/remove-corba-applications/OTP-14283:
Move the corba applcations to separate repository
|
|
All corba applications are moved to a separate repository.
E.g. orber, ic, cosEvent, cosEventDomain, cosNotifications
cosTime, cosTransactions, cosProperty and cosFileTransfer.
|
|
* raimo/better-TLS-distribution/OTP-14969:
Fix distro CRL test cases short vs long names
Allow check for node name
Move check ip to before SSL handshake
Check client IP from server
Parse cert primarily for host names
Open for host and node allow list
Create plug-in for distro cert nodes
Rewrite TLS dist to handle node names in certs
Improve node allowed check
|
|
* ingela/inets/cert-gen:
inets: Fix better test case data generation
|
|
Inets generated test data that not conform to valid TLS cipher suites
|
|
* ingela/ssl/test-cuddle:
ssl: Handle EXIT messages from test code correctly
|
|
|
|
* ingela/inets/httpc-error-handling/ERL-605/OTP-15042:
inets: Improve httpc gracefulness
|
|
|
|
answer to a certificate request
Solves ERL-599
|
|
* hans/ssh/channel_maintenance/OTP-15041:
ssh: ssh_channel replaced by ssh_client_channel
ssh: ssh_daemon_channel replaced by ssh_server_channel
ssh: Use ssh_daemon_channel_sup and ssh_damon_channel
ssh: Create doc for the ssh_daemon_channel behaviour
|
|
|
