| Age | Commit message (Collapse) | Author |
|---|
|
|
|
The PEM cache is now validated by a background process, instead of
always keeping it if it is small enough and clearing it otherwhiss.
That strategy required that small caches where cleared by API function
if a file changes on disk.
However document the clearing API function as it can still be usefull.
|
|
disable option
Conflicts:
lib/ssl/src/ssl_cipher.erl
lib/ssl/src/ssl_record.erl
lib/ssl/src/tls_record.erl
lib/ssl/test/ssl_cipher_SUITE.erl
|
|
|
|
Check that the certificate chain ends with a trusted ROOT CA e.i. a
self-signed certificate, but provide an option partial_chain to
enable the application to define an intermediat CA as trusted.
TLS RFC says:
"unknown_ca
A valid certificate chain or partial chain was received, but the
certificate was not accepted because the CA certificate could not
be located or couldn't be matched with a known, trusted CA. This
message is always fatal."
and also states:
"certificate_list
This is a sequence (chain) of certificates. The sender's
certificate MUST come first in the list. Each following
certificate MUST directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate that specifies the root
certificate authority MAY be omitted from the chain, under the
assumption that the remote end must already possess it in order to
validate it in any case."
X509 RFC says:
"The selection of a trust anchor is a matter of policy: it could be
the top CA in a hierarchical PKI, the CA that issued the verifier's
own certificate(s), or any other CA in a network PKI. The path
validation procedure is the same regardless of the choice of trust
anchor. In addition, different applications may rely on different
trust anchors, or may accept paths that begin with any of a set of
trust anchors."
|
|
|
|
|
|
HonorCipherOrder as implemented in Apache, nginx, lighttpd, etc. This
instructs the server to prefer its own cipher ordering rather than the
client's and can help protect against things like BEAST while
maintaining compatability with clients which only support older ciphers.
This code is mostly written by Andrew Thompson, only the test case was
added by Andreas Schultz.
|
|
|
|
|
|
|
|
|
|
- Set to disable to explicitly disable SNI support.
- Set to a hostname when upgrading from TCP to TLS.
|
|
See RFC 6066 section 3
|
|
|
|
|
|
|
|
|
|
Conflicts:
lib/crypto/doc/src/crypto_app.xml
|
|
|
|
|
|
|
|
OTP-10450
|
|
|
|
|
|
Fix inconsistencies
Fix typos
Fix data types definition
|
|
|
|
|
|
|
|
more "sense" (be true to the specification).
|
|
|
|
Tickets solved by this branch: OTP-8871, OTP-8872 and OTP-9908
|
|
|
|
|
|
* as/ssl-tls-prf-function:
Some protocols (e.g. EAP-PEAP, EAP-TLS, EAP-TTLS)
that use TLS as transport layer need to generate
additional application specific key material
One way to generate such material is to use the
TLS PRF and key material from the TLS session itself
OTP-10024
|
|
transport layer need to generate additional application specific
key material. One way to generate such material is to use the TLS
PRF and key material from the TLS session itself.
This change makes it possible to use a TLS sessions PRF either with
the session internal or caller supplied key material to generate
additional key material.
|
|
|
|
|
|
* ia/ssl/remove-old-ssl/OTP-7048:
Remove old ssl implementation and deprecated function ssl:peercert/1
Conflicts:
lib/ssl/test/Makefile
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ssl:send/2 takes iodata() as a second
argument. erlang:iolist_to_binary should really be called
erlang:iodata_to_binary which caused the mismatch in the first place.
|
|
|
|
|
|
When making an SSL connection (either as client or as server), the
process implementing the connection may use as much as hundreds of
kilobytes of memory, even when idle. This is problematic for any
application maintaining more than just a few SSL connections.
This patch introduces the option { hibernate_after, int() } to the
ssl:connect and ssl:listen functions, making the SSL connection
process go into hibernation after the specified number of milliseconds
of inactivity. This will reduce the memory used by the process to
just a few hundred bytes, making applications with thousands or
more SSL connections feasible, as long as most of the connections
are idle for most of the time (which is typically the case).
The approach of making the process go into hibernation only after
some time of inactivity was chosen because hibernation incurs some
CPU usage, and it is therefore not desirable for a process to
hibernate after each call.
|
|
-------------------------------------------------------------------------
ssl's published documentation states:
ssl_accept(ListenSocket) ->
ssl_accept(ListenSocket, Timeout) -> ok | {error, Reason}
(see http://www.erlang.org/doc/man/ssl.html#ssl_accept-1)
while its code has the specs:
-spec ssl_accept(#sslsocket{}) -> {ok, #sslsocket{}} | {error, reason()}.
-spec ssl_accept(#sslsocket{}, list() | timeout()) -> {ok, #sslsocket{}} | {error, reason()}.
One of the two cannot be right. This should be fixed.
Moreover, I do not see why the spec just mentions list() for the options when the documentation explicitly mentions the options of ssl.
Kostis
---------------------------------------------------------------------
|
