Age | Commit message (Collapse) | Author |
|
* kostis/hipe-icode-cleanup:
Fix dialyzer warning and some code refactoring
OTP-13379
|
|
* legoscia/crl-check-without-dp:
Be suspicious of certificates without CRL DPs
Refactor ssl_crl_SUITE: extract crl_verify_error/6
OTP-13378
|
|
* legoscia/critical-extension-verify-none:
ssl: with verify_none, accept critical extensions
OTP-13377
|
|
* benwilson512/better-maps-with:
Improved maps:with/2 and maps:without/2 algorithm
OTP-13376
|
|
Conflicts:
lib/eldap/src/eldap.erl
|
|
|
|
* rickard/proc-not-running/OTP-13365:
Do not wait for main lock when looking up process not running
|
|
Fix mistakes found by 'xmllint'.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* rickard/dw-cmpxchg-clang/OTP-13336:
Improve cmpxchg8b/cmpxchg16b inline asm
|
|
* rickard/gcc5-pic-cmpxchg8b/OTP-13326:
Improve cmpxchg8b inline asm configure test
|
|
|
|
* sverk/proc-lock-check-fix:
erts: Fix lock checker for process locks
|
|
* hb/add_dialyzer_suppressions/OTP-12862:
Fix a few dialyzer warnings
|
|
|
|
|
|
Conflicts:
lib/ssh/test/ssh_upgrade_SUITE.erl
|
|
|
|
|
|
* ia/ssl/connection_information/OTP-13232/OTP-13343:
ssl: Newer cipher suites now presented correctly
ssl: Include options form connect/listen/accept in connection_information/[1,2]
|
|
Older SSL/TLS versions have cipher suites
that look like {key_exchange(), cipher(), MAC::hash()}
and the hash function used by the PRF (Pseudo Random function)
is implicit and always the same for that protocol version.
In TLS 1.2 a cipher suite is
{key_exchange(), cipher(), MAC::hash(), PRF::hash()}.
Internally a cipher suite is always a four tuple but
for backwards compatibility older cipher suites
will be presented as a three tuples, however new cipher suites
should be presented as four tuples.
|
|
* dgud/debugger/doc:
debugger: Editorial changes in documentation
|
|
|
|
* dgud/observer/doc:
Observer: Editorial changes in documentation
|
|
|
|
Make sure that options only relevant for one role (client|server) is set
to undefined when the other role is invoked. As there are many options to
ssl, and many are optional, we choose to filter out all undefined options
to avoid overwhelming the user with not relevant information.
This way there is no need for any special handling of the role specific options
which is also nice.
|
|
|
|
* rickard/rq-state-bug/OTP-13298:
Fix bug causing run-queue mask to become inconsistent
|
|
* ia/pr/public_key-typos:
Fix public_key documentation typos
To correct version of public_key doc in maint, due to a missed push
of maint but a push of the maint to master merge, some confusion was caused.
Also the original branch (ia/pr/typo-fixes) included ssl typo fixes
that where cherry picked and merged from another branch to add to the confusion.
|
|
|
|
Do lock order check *before* trying to seize lock... duh!
|
|
Clang didn't like that ecx/rcx was mapped to input and output
variables of different types.
|
|
* sverk/nif-test-cuddle:
erts: Fix wobbling test failure in nif_SUITE
|
|
* sverk/openssl-config-doc:
Add --with-ssl-incl and --with-ssl-rpath to docs
|
|
|
|
|
|
|
|
* siri/ct_netconfc/multpile-end-tags/OTP-13323:
[ct_netconfc] Fix XML parsing when multiple messages in package
|
|
If a ssh package contained more than one netconf end tag, then the
second end tag was never detected in ct_netconfc:handle_data. Instead
it was included in the XML data given to the xmerl parser, which then
failed with reason "\"]]>\" is not allowed in content".
This problem was introduced by OTP-13007.
|
|
* legoscia/ssl-doc-typos:
Fix typos in ssl.xml
OTP-13339
|
|
* msantos/ms/typo-windows-build-script:
Fix typo in Windows build scripts
OTP-13337
|
|
* hb/kernel/correct_contract/OTP-13335:
kernel: Correct contract for inet:getifaddrs/1
|
|
|
|
See also http://bugs.erlang.org/browse/ERL-95.
|
|
Previously, if certificate revocation checking was turned on, and a
certificate didn't contain a CRL Distribution Points extension, and
there was no relevant CRL in the cache, then ssl_handshake:crl_check
would accept the certificate even if the crl_check option was set to
reject certificates for which the revocation status could not be
determined. With this change, such certificates will only be accepted
if the crl_check option was set to best_effort.
The process for CRL validation is described in section 6.3 of RFC
5280. The text doesn't mention any special treatment to be given to
certificates without distribution points: it just says "For each
distribution point..." (section 6.3.3), which would leave the
revocation status undetermined, unless there were "any available CRLs
not specified in a distribution point but issued by the certificate
issuer". Thus the result of this algorithm should be UNDETERMINED in
this case, not UNREVOKED, and the crl_check option should govern how
the implementation reacts to this result.
|