aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/doc/src/ssl.xml
AgeCommit message (Collapse)Author
2015-03-02ssl: Implement support for TLS_FALLBACK_SCSVIngela Anderton Andin
2015-02-06ssl: Improve PEM cache by validating entriesIngela Anderton Andin
The PEM cache is now validated by a background process, instead of always keeping it if it is small enough and clearing it otherwhiss. That strategy required that small caches where cleared by API function if a file changes on disk. However document the clearing API function as it can still be usefull.
2015-01-23ssl: Reenable padding check for TLS-1.0 and provide backwards compatibleIngela Anderton Andin
disable option Conflicts: lib/ssl/src/ssl_cipher.erl lib/ssl/src/ssl_record.erl lib/ssl/src/tls_record.erl lib/ssl/test/ssl_cipher_SUITE.erl
2014-10-03ssl: Fix link error in documentationIngela Anderton Andin
2014-09-09ssl, public_key: Add new option partial_chainIngela Anderton Andin
Check that the certificate chain ends with a trusted ROOT CA e.i. a self-signed certificate, but provide an option partial_chain to enable the application to define an intermediat CA as trusted. TLS RFC says: "unknown_ca A valid certificate chain or partial chain was received, but the certificate was not accepted because the CA certificate could not be located or couldn't be matched with a known, trusted CA. This message is always fatal." and also states: "certificate_list This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case." X509 RFC says: "The selection of a trust anchor is a matter of policy: it could be the top CA in a hierarchical PKI, the CA that issued the verifier's own certificate(s), or any other CA in a network PKI. The path validation procedure is the same regardless of the choice of trust anchor. In addition, different applications may rely on different trust anchors, or may accept paths that begin with any of a set of trust anchors."
2014-03-31ssl: Add possibility to specify ssl options when calling ssl:ssl_acceptIngela Anderton Andin
2014-03-03ssl: Improved documentation of the cacertfile optionIngela Anderton Andin
2014-01-21Implement 'honor_cipher_order' SSL server-side optionAndrew Thompson
HonorCipherOrder as implemented in Apache, nginx, lighttpd, etc. This instructs the server to prefer its own cipher ordering rather than the client's and can help protect against things like BEAST while maintaining compatability with clients which only support older ciphers. This code is mostly written by Andrew Thompson, only the test case was added by Andreas Schultz.
2013-11-20Merge branch 'maint'Hans Nilsson
2013-11-19ftp,ssl: Fixes broken type link (ssloption).Hans Nilsson
2013-11-11Merge branch 'maint'Fredrik Gustafsson
2013-11-06Update documentationJulien Barbot
2013-11-06Add a new server_name_indication option to ssl:connectJulien Barbot
- Set to disable to explicitly disable SNI support. - Set to a hostname when upgrading from TCP to TLS.
2013-11-06Add SSL Server Name Indication (SNI) client supportJulien Barbot
See RFC 6066 section 3
2013-11-04Merge branch 'maint'Fredrik Gustafsson
2013-11-01Fix client_preferred_next_protocols documentationJulien Barbot
2013-08-28Merge branch 'maint'Fredrik Gustafsson
2013-08-27ssl: documentation regarding log_alertFredrik Gustafsson
2013-05-08Merge remote-tracking branch 'upstream/maint'Ingela Anderton Andin
Conflicts: lib/crypto/doc/src/crypto_app.xml
2013-05-08crypto: Deprecate functions, update doc and specsIngela Anderton Andin
2013-05-08SSL: add Elliptic Curve support for ssl appAndreas Schultz
2013-04-19Convert XML files to UTF-8Hans Bolinder
2013-04-05ssl & crypto: Documentation enhancementsIngela Anderton Andin
OTP-10450
2013-04-03ssl: Add option to list all available ciper suites and enhanced documentationIngela Anderton Andin
2013-03-28SSL: add documentation for PSK and SRP ciphers optionsAndreas Schultz
2013-03-17Fix SSL Next Protocol Negotiation documentationJulien Barbot
Fix inconsistencies Fix typos Fix data types definition
2013-02-22ssl: Add missing option and linksIngela Anderton Andin
2013-02-12ssl: Generalize cb_info optionIngela Anderton Andin
2012-12-20ssl: Make TLS-1.2 default versionIngela Anderton Andin
2012-09-20ssl: Changed default behaviour of next protocol negotiation to makeIngela Anderton Andin
more "sense" (be true to the specification).
2012-09-20ssl: Update SSL docs for SSL Next Protocol SupportBen Murphy
2012-08-22ssl & public_key: Prepare for releaseIngela Anderton Andin
Tickets solved by this branch: OTP-8871, OTP-8872 and OTP-9908
2012-04-25Improved explanation of depth optionIngela Anderton Andin
2012-03-30Update copyright yearsBjörn-Egil Dahlberg
2012-03-26Merge branch 'as/ssl-tls-prf-function' into maintGustav Simonsson
* as/ssl-tls-prf-function: Some protocols (e.g. EAP-PEAP, EAP-TLS, EAP-TTLS) that use TLS as transport layer need to generate additional application specific key material One way to generate such material is to use the TLS PRF and key material from the TLS session itself OTP-10024
2012-03-05Some protocols (e.g. EAP-PEAP, EAP-TLS, EAP-TTLS) that use TLS asAndreas Schultz
transport layer need to generate additional application specific key material. One way to generate such material is to use the TLS PRF and key material from the TLS session itself. This change makes it possible to use a TLS sessions PRF either with the session internal or caller supplied key material to generate additional key material.
2012-02-28Remove/add extra/missing white spacesRicardo Catalinas Jiménez
2011-11-01Added PKCS-8 support in sslIngela Anderton Andin
2011-10-06Merge branch 'ia/ssl/remove-old-ssl/OTP-7048'Ingela Anderton Andin
* ia/ssl/remove-old-ssl/OTP-7048: Remove old ssl implementation and deprecated function ssl:peercert/1 Conflicts: lib/ssl/test/Makefile
2011-09-28Corrected documentation bugIngela Anderton Andin
2011-09-16Remove old ssl implementation and deprecated function ssl:peercert/1Ingela Anderton Andin
2011-08-08replace "a ssl" with "an ssl"Christian von Roques
2011-08-08Trivial documentation fixesChristian von Roques
2011-06-27Handle inet:getopts/2 and inet:setopts/2 crashesIngela Anderton Andin
2011-05-05Spec correctionsIngela Anderton Andin
2011-04-29Changed iolist() to iodata()Ingela Anderton Andin
ssl:send/2 takes iodata() as a second argument. erlang:iolist_to_binary should really be called erlang:iodata_to_binary which caused the mismatch in the first place.
2011-04-21Fixed blunder in year tagIngela Anderton Andin
2011-04-20Added missing path validation error to documentationIngela Anderton Andin
2011-03-07Add the option { hibernate_after, int() } to ssl:connect and ssl:listenJeroen Koops
When making an SSL connection (either as client or as server), the process implementing the connection may use as much as hundreds of kilobytes of memory, even when idle. This is problematic for any application maintaining more than just a few SSL connections. This patch introduces the option { hibernate_after, int() } to the ssl:connect and ssl:listen functions, making the SSL connection process go into hibernation after the specified number of milliseconds of inactivity. This will reduce the memory used by the process to just a few hundred bytes, making applications with thousands or more SSL connections feasible, as long as most of the connections are idle for most of the time (which is typically the case). The approach of making the process go into hibernation only after some time of inactivity was chosen because hibernation incurs some CPU usage, and it is therefore not desirable for a process to hibernate after each call.
2011-01-10Fixed Dialyzer specsIngela Anderton Andin
------------------------------------------------------------------------- ssl's published documentation states: ssl_accept(ListenSocket) -> ssl_accept(ListenSocket, Timeout) -> ok | {error, Reason} (see http://www.erlang.org/doc/man/ssl.html#ssl_accept-1) while its code has the specs: -spec ssl_accept(#sslsocket{}) -> {ok, #sslsocket{}} | {error, reason()}. -spec ssl_accept(#sslsocket{}, list() | timeout()) -> {ok, #sslsocket{}} | {error, reason()}. One of the two cannot be right. This should be fixed. Moreover, I do not see why the spec just mentions list() for the options when the documentation explicitly mentions the options of ssl. Kostis ---------------------------------------------------------------------