Age | Commit message (Collapse) | Author |
|
|
|
maint-r14
* ia/ssl-and-public_key/verify_fun_peer_awarness/OTP-8873:
Peer awarness
|
|
* ia/public_key/basic_constraints/OTP-8867:
Better handling of v1 and v2 certificates.
|
|
Changed the verify fun so that it differentiate between the peer
certificate and CA certificates by using valid_peer or valid as the
second argument to the verify fun. It may not always be trivial or
even possible to know when the peer certificate is reached otherwise.
|
|
V1 and v2 certificates does not have any extensions
so then validate_extensions should just accept that
there are none and not end up in missing_basic_constraints clause.
|
|
Changed implementation to retain backwards compatibility for old
option {verify, 0} that shall be equivalent to {verify, verify_none},
also separate the cases unknown CA and selfsigned peer cert, and
restored return value of deprecated function public_key:pem_to_der/1.
|
|
|
|
Added the functionality so that the verification fun will be called
when a certificate is considered valid by the path validation to allow
access to eachs certificate in the path to the user application.
Removed clause that only check that a extension is not critical,
it does alter the verification rusult only withholds information from
the application.
Try to verify subject-AltName, if unable to verify it let
application try.
|
|
|
|
Changed the behavior of the verify_fun option so that
the application can be responsible for handling path validation
errors even on the server side. Also replaced the not yet
documented validate_extensions_fun to be handled by the
verify_fun instead.
If the verify callback fun returns {fail, Reason}, the verification process is
immediately stopped and an alert is sent to the peer and the TLS/SSL
handshake is terminated. If the verify callback fun returns {valid,
UserState}, the verification process is continued. If the verify callback
fun always returns {valid, UserState}, the TLS/SSL handshake will not be
terminated with respect to verification failures and the connection
will be established. The verify callback fun will also be
able to verify application specific extensions.
|
|
* dgud/public_key/make_cert_fix:
Complete rename of erl_make_certs
Rename
Fix issuer issue in generated certs
|
|
Handling of unkown CA certificats was changed in ssl and
public_key to work as intended.
In the process of doing this some test cases has been corrected as
they where wrong but happened to work together with the
incorrect unknown CA handling.
|
|
|
|
|
|
|
|
* ia/public_key_api/OTP-8722:
Revise the public_key API
Resolved, version is now 0.8.
Conflicts:
lib/public_key/vsn.mk
|
|
Cleaned up and documented the public_key API to
make it useful for general use.
|
|
Some application's vsn.mk files contained a list of the ticket
numbers fixed in each version.
Since that information can be obtained from the notes.xml file or
from the merge commits in the git repository (provided that the
branch name includes the ticket number), there is no reason to
manually maintain that information in the vsn.mk files.
|
|
|
|
|
|
|
|
|
|
certificates.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
crypto:des_cbc_decrypt
|
|
|
|
|
|
|
|
* bg/public_key-include_lib:
public_key: fix build of test suites on Windows
|
|
|
|
On Windows, the ERL_TOP environment variable contains
a path that only is valid for cygwin-enabled programs,
such as 'make'. It is not meaningful to pass the value
of $ERL_TOP in the -I option to the Erlang compiler,
because the Erlang emualator does not interpret cygwin
paths correctly. Therefore, -include("test_server.hrl")
will fail to find test_server.hrl.
Work around the problem by using -include_lib().
|
|
* dgud/ssl-patches-from-Wil:
Added a public_key:pkix_transform/2 instead and used it from ssl.
Minor code cleanup
new_ssl fix session reuse
Code cleanup
Send CA list during Certificate Request in new_ssl
OTP-8372 Fixed session reuse (in new_ssl), thanks Wil Tan.
Send CA list during Certificate Request (in new_ssl) , thanks Wil
Tan.
|
|
|
|
When requesting for client certificate, an SSL/TLS server may send a
list of the distinguished names of acceptable certificate authorities.
OpenSSL does this by default.
|
|
|
|
|