| Age | Commit message (Collapse) | Author |
|---|
|
Failing to recognize psk as an anonymous key exchange would fail the connection
when trying to decode an undefined certificate.
|
|
|
|
The Key Usage extension is described in section 4.2.1.3 of X.509, with the following possible flags:
KeyUsage ::= BIT STRING {
digitalSignature (0),
nonRepudiation (1), -- recent editions of X.509 have
-- renamed this bit to contentCommitment
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8) }
In SSL/TLS, when the server certificate contains a RSA key, then:
either a DHE or ECDHE cipher suite is used, in which case the RSA key
is used for a signature (see section 7.4.3 of RFC 5246: the "Server
Key Exchange" message); this exercises the digitalSignature key usage;
or "plain RSA" is used, with a random value (the 48-byte pre-master
secret) being encrypted by the client with the server's public key
(see section 7.4.7.1 of RFC 5246); this is right in the definition of
the keyEncipherment key usage flag.
dataEncipherment does not apply, because what is encrypted is not
directly meaningful data, but a value which is mostly generated
randomly and used to derive symmetric keys. keyAgreement does not
apply either, because that one is for key agreement algorithms which
are not a case of asymmetric encryption (e.g. Diffie-Hellman). The
keyAgreement usage flag would appear in a certificate which contains a
DH key, not a RSA key. nonRepudiation is not used, because whatever is
signed as part of a SSL/TLS key exchange cannot be used as proof for a
third party (there is nothing in a SSL/TLS tunnel that the client
could record and then use to convince a judge when tring to sue the
server itself; the data which is exchanged within the tunnel is not
signed by the server).
When a ECDSA key is used then "keyAgreement" flag is needed for beeing
ECDH "capable" (as opposed to ephemeral ECDHE)
|
|
|
|
ECDH suite handling did not use the EC parameters form the certs
as expected.
Conflicts:
lib/ssl/src/ssl_cipher.erl
|
|
Fix test case code to use keyAgreement for ECDH_ECDSA
Conflicts:
lib/ssl/test/ssl_ECC.erl
lib/ssl/test/ssl_ECC_openssl_SUITE.erl
lib/ssl/test/ssl_to_openssl_SUITE.erl
|
|
When test handling was corrected it was obvious that DTLS ECC handling
was not compleated.
Conflicts:
lib/ssl/src/ssl.erl
lib/ssl/test/Makefile
lib/ssl/test/ssl_ECC.erl
lib/ssl/test/ssl_ECC_SUITE.erl
lib/ssl/test/ssl_ECC_openssl_SUITE.erl
|
|
benign until valgrind version 4.* shows up.
|
|
Two of them only affect valgrind builds
and the one for ERL_CRASH_DUMP_NICE seems benign.
Return value changed in c2d70945dce9cb09d5d7120d6e9ddf7faac8d230
old -> new
-1 -> 0 not found
0 -> 1 found ok
1 -> -1 found but too big
|
|
Don't match floats.
|
|
to include ports and NIF resources.
Added new opaque type 'nif_resource'.
|
|
When doing ssl:controlling_process on a ssl socket that has not
performed the TLS/DTLS handshake that call will succeed even though
the documentation stated otherwise. However if some other ssl option
was incorrect the call would hang. Now {error, closed} will be
returned in the latter case, which is logical independent on if it
should succeed or not in the former case. The former case will continue
to succeed, as it is not dependent of the TLS/DTLS connection being
established, and the documentation is altered slightly to not
explicitly disallow it. If the TLS/DTLS connection later fails and
the socket mode is active, the new controlling process will be
notified as expected.
|
|
httpc 301 redirect: Do not assert scheme ports are equal
|
|
IngelaAndin/ingela/ssl/no-ca-sign-restriction-TLS-1.2/ERL-381/OTP-15173
Ingela/ssl/no ca sign restriction tls 1.2/erl 381/otp 15173
|
|
|
|
This is necessary to prevent an error when calling get_port inside
resolve_authority
|
|
|
|
|
|
When handling 301 redirects from http -> https on Erlang 21.0.1, the
following error is encountered:
```
8> Options = [].
9> httpc:request(head, {"http://rhye.org", []}, Options, []).
{error,{shutdown,{{error,{badmatch,443}},
[{httpc_response,resolve_uri,7,
[{file,"/usr/local/lib/erlang/lib/inets-7.0/src/http_client/httpc_response.erl"},
{line,431}]},
{httpc_response,redirect,2,
[{file,"/usr/local/lib/erlang/lib/inets-7.0/src/http_client/httpc_response.erl"},
{line,396}]},
{httpc_handler,handle_response,1,
[{file,"httpc_handler.erl"},{line,1052}]},
{httpc_handler,handle_info,2,
[{file,"httpc_handler.erl"},{line,283}]},
{gen_server,try_dispatch,4,
[{file,"gen_server.erl"},{line,637}]},
{gen_server,handle_msg,6,
[{file,"gen_server.erl"},{line,711}]},
{proc_lib,init_p_do_apply,3,
[{file,"proc_lib.erl"},{line,249}]}]}}}
```
This seems to be caused by the following code in `resolve_uri`:
```
resolve_uri(Scheme, Host, Port, Path, Query, URI, Map0) ->
case maps:is_key(scheme, URI) of
true ->
Port = get_port(URI)
```
The value of `Port` passed in to `resolve_uri` here is 80, since the
original URL is http. However, since the redirected URL is https, the
`get_port` call returns 443, which is not equal to 80, and crashes.
Assigning to a new variable seems to fix redirects.
|
|
|
|
* hasse/erts/correct_absform:
erts: Correct The Abstract Format
|
|
* bjorn/compiler/cuddle-with-tests:
Call test_lib:recompile/1 from init_per_suite/1
|
|
* bjorn/erts/fix-disassembler:
beam_debug: Fix printing of floating point registers
|
|
Call test_lib:recompile/1 from init_per_suite/1 instead of
from all/0. That makes it easy to find the log from the
compilation in the log file for the init_per_suite/1 test
case.
|
|
* ingela/cuddle/basic_SUITE:
ssl: Fix test case to only check relevant info for the test
|
|
A minor correction regarding literal character types.
|
|
|
|
|
|
|
|
IngelaAndin/ingela/ssl/PSK-hash-sign-selection/ERL-641
Failing to recognize PSK as an anonymous key exchange would fail the connection
when trying to decode an undefined certificate
OTP-15172
|
|
|
|
* sverker/purge-vfork:
erts: Remove obsolete paragraph about ERL_NO_VFORK
|
|
Dummy merge
* sverker/kernel/silence-dialyzer/OTP-15170:
kernel: Silence dialyzer
# Conflicts:
# lib/kernel/src/dist_util.erl
|
|
|
|
|
|
The release notes generated in the README and notes.xml were out of
sync, and notes.xml erroneously listed a fixed bug as open.
|
|
Failing to recognize psk as an anonymous key exchange would fail the connection
when trying to decode an undefined certificate.
|
|
* maint-21:
Updated OTP version
Update release notes
Update version numbers
Eliminate a crash in the beam_jump pass
stdlib: Fix a 'chars_limit' bug
Fix a race condition when generating async operation ids
Fix internal compiler error for map_get/2
beam_type: Fix unsafe optimization
public_key: Remove moduli 5121 and 7167 Thoose were added by 598629aeba9de98e8cdf5637043eb34e5d407751 but are not universaly supported.
|
|
maint
|
|
|
|
This is a hack to make the "noshell" option work; kqueue can poll
these fds but will not report EV_EOF. This may be common to all
all pipes but we have no way to tell whether an fd is a pipe or
not.
|
|
* consistently use var name `Button` instead of `Digit`
* remove unnecessary calls to `do_lock` and `do_unlock`
* fix compile errors
|
|
from erlang:open_port/2 docs.
|
|
|
|
by just adding to NEW_RELEASES
|
|
* maint-20:
Updated OTP version
Prepare release
kernel: Fix tick count bug when pending writes
kernel: Send tick to hidden node even if pending writes
ic: Fix buffer overrun bug in oe_ei_encode_atom
erl_interface: Fix simultaneous connection setup
|
|
|
|
|
|
|
|
* hasse/stdlib/fix_io_lib_pretty/OTP-15159:
stdlib: Fix a 'chars_limit' bug
|
