| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
HonorCipherOrder as implemented in Apache, nginx, lighttpd, etc. This
instructs the server to prefer its own cipher ordering rather than the
client's and can help protect against things like BEAST while
maintaining compatability with clients which only support older ciphers.
This code is mostly written by Andrew Thompson, only the test case was
added by Andreas Schultz.
|
|
|
|
|
|
|
|
|
|
- Set to disable to explicitly disable SNI support.
- Set to a hostname when upgrading from TCP to TLS.
|
|
See RFC 6066 section 3
|
|
|
|
|
|
|
|
|
|
Conflicts:
lib/crypto/doc/src/crypto_app.xml
|
|
|
|
|
|
|
|
OTP-10450
|
|
|
|
|
|
Fix inconsistencies
Fix typos
Fix data types definition
|
|
|
|
|
|
|
|
more "sense" (be true to the specification).
|
|
|
|
Tickets solved by this branch: OTP-8871, OTP-8872 and OTP-9908
|
|
|
|
|
|
* as/ssl-tls-prf-function:
Some protocols (e.g. EAP-PEAP, EAP-TLS, EAP-TTLS)
that use TLS as transport layer need to generate
additional application specific key material
One way to generate such material is to use the
TLS PRF and key material from the TLS session itself
OTP-10024
|
|
transport layer need to generate additional application specific
key material. One way to generate such material is to use the TLS
PRF and key material from the TLS session itself.
This change makes it possible to use a TLS sessions PRF either with
the session internal or caller supplied key material to generate
additional key material.
|
|
|
|
|
|
* ia/ssl/remove-old-ssl/OTP-7048:
Remove old ssl implementation and deprecated function ssl:peercert/1
Conflicts:
lib/ssl/test/Makefile
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ssl:send/2 takes iodata() as a second
argument. erlang:iolist_to_binary should really be called
erlang:iodata_to_binary which caused the mismatch in the first place.
|
|
|
|
|
|
When making an SSL connection (either as client or as server), the
process implementing the connection may use as much as hundreds of
kilobytes of memory, even when idle. This is problematic for any
application maintaining more than just a few SSL connections.
This patch introduces the option { hibernate_after, int() } to the
ssl:connect and ssl:listen functions, making the SSL connection
process go into hibernation after the specified number of milliseconds
of inactivity. This will reduce the memory used by the process to
just a few hundred bytes, making applications with thousands or
more SSL connections feasible, as long as most of the connections
are idle for most of the time (which is typically the case).
The approach of making the process go into hibernation only after
some time of inactivity was chosen because hibernation incurs some
CPU usage, and it is therefore not desirable for a process to
hibernate after each call.
|
|
-------------------------------------------------------------------------
ssl's published documentation states:
ssl_accept(ListenSocket) ->
ssl_accept(ListenSocket, Timeout) -> ok | {error, Reason}
(see http://www.erlang.org/doc/man/ssl.html#ssl_accept-1)
while its code has the specs:
-spec ssl_accept(#sslsocket{}) -> {ok, #sslsocket{}} | {error, reason()}.
-spec ssl_accept(#sslsocket{}, list() | timeout()) -> {ok, #sslsocket{}} | {error, reason()}.
One of the two cannot be right. This should be fixed.
Moreover, I do not see why the spec just mentions list() for the options when the documentation explicitly mentions the options of ssl.
Kostis
---------------------------------------------------------------------
|
|
|
|
For testing purposes ssl now also support some anonymous cipher suites
when explicitly configured to do so.
Also moved session cache tests to its own suite, so that timeout
of end_per_testcase when the mnesia is used as session cache will
not affect other test cases.
|
|
maint-r14
* ia/ssl-and-public_key/verify_fun_peer_awarness/OTP-8873:
Peer awarness
|
|
Changed the verify fun so that it differentiate between the peer
certificate and CA certificates by using valid_peer or valid as the
second argument to the verify fun. It may not always be trivial or
even possible to know when the peer certificate is reached otherwise.
|
|
Changed implementation to retain backwards compatibility for old
option {verify, 0} that shall be equivalent to {verify, verify_none},
also separate the cases unknown CA and selfsigned peer cert, and
restored return value of deprecated function public_key:pem_to_der/1.
|
