Age | Commit message (Collapse) | Author |
|
* ingela/ssl/phase-out-sslv2-hello/OTP-13465:
ssl: Add option to phase out support for sslv2 client hello
|
|
ssl servers can recognize sslv2 client hellos to interop with clients
that support higher version of SSL/TLS but also offers sslv2
Conflicts:
lib/ssl/src/tls_connection.erl
|
|
|
|
This reverts commit e020f75c10410a6943cd055bfa072a2641eab7da.
|
|
|
|
* legoscia/ssl/tls-dist-more-opts/PR-956/OTP-13429:
Quote curly brackets in command line options
Avoid disappearing ETS tables in ssl_dist_SUITE
Fix db handle for TLS distribution crl_cache opts
Fix ssl_dist_SUITE logging on Windows
More logging in ssl_dist_SUITE
TLS distribution: crl_check and crl_cache options
Allow passing verify_fun for TLS distribution
More informative malformed_ssl_dist_opt error
|
|
* ingela/ssl/doc-enhancment/ERL-131:
ssl: Add default values and clarifications
|
|
|
|
Some legacy TLS 1.0 software does not tolerate the 1/n-1 content
split BEAST mitigation technique. This commit adds a beast_mitigation
SSL option (defaulting to one_n_minus_one) to select or disable the
BEAST mitigation technique.
Valid option values are (one_n_minus_one | zero_n | disabled).
|
|
This reverts commit bd64ad8e15d66e48b36dbe3584315dd5cfc8b59a.
|
|
|
|
Conflicts:
OTP_VERSION
lib/common_test/test/ct_hooks_SUITE_data/cth/tests/ct_update_config_SUITE.erl
lib/common_test/vsn.mk
|
|
|
|
Conflicts:
OTP_VERSION
lib/ssl/doc/src/ssl.xml
lib/ssl/src/ssl_cipher.erl
lib/ssl/src/tls_v1.erl
lib/ssl/test/ssl_basic_SUITE.erl
|
|
|
|
* henrik/update-copyrightyear:
update copyright-year
|
|
In TLS-1.2 The signature algorithm and the hash function algorithm
used to produce the digest that is used when creating the digital signature
may be negotiated through the signature algorithm extension RFC 5246.
We want to make these algorithm pairs configurable.
In connections using lower versions of TLS these algorithms are
implicit defined and can not be negotiated or configured.
DTLS is updated to not cause dialyzer errors, but needs to get a real
implementation later.
|
|
|
|
In TLS-1.2 The signature algorithm and the hash function algorithm
used to produce the digest that is used when creating the digital signature
may be negotiated through the signature algorithm extension RFC 5246.
We want to make these algorithm pairs configurable.
In connections using lower versions of TLS these algorithms are
implicit defined and can not be negotiated or configured.
DTLS is updated to not cause dialyzer errors, but needs to get a real
implementation later.
|
|
|
|
Allow specifying the crl_check and crl_cache options for TLS
distribution connections.
|
|
Accept a value of the form {Module, Function, State} from the command
line. This is different from the {Fun, State} that ssl:connect etc
expect, since there's no clean way to parse a fun from a command line
argument.
|
|
|
|
=== OTP-18.3 ===
Changed Applications:
- asn1-4.0.2
- common_test-1.12
- compiler-6.0.3
- cosNotification-1.2.1
- cosTime-1.2.1
- cosTransactions-1.3.1
- crypto-3.6.3
- debugger-4.1.2
- dialyzer-2.9
- diameter-1.11.2
- edoc-0.7.18
- eldap-1.2.1
- erl_docgen-0.4.2
- erl_interface-3.8.2
- erts-7.3
- eunit-2.2.13
- hipe-3.15
- inets-6.2
- kernel-4.2
- mnesia-4.13.3
- observer-2.1.2
- orber-3.8.1
- public_key-1.1.1
- runtime_tools-1.9.3
- sasl-2.7
- snmp-5.2.2
- ssh-4.2.2
- ssl-7.3
- stdlib-2.8
- test_server-3.10
- tools-2.8.3
- webtool-0.9.1
- wx-1.6.1
- xmerl-1.3.10
Unchanged Applications:
- cosEvent-2.2
- cosEventDomain-1.2
- cosFileTransfer-1.2
- cosProperty-1.2
- et-1.5.1
- gs-1.6
- ic-4.4
- jinterface-1.6.1
- megaco-3.18
- odbc-2.11.1
- os_mon-2.4
- ose-1.1
- otp_mibs-1.1
- parsetools-2.1.1
- percept-0.8.11
- reltool-0.7
- syntax_tools-1.7
- typer-0.9.10
Conflicts:
OTP_VERSION
erts/vsn.mk
lib/test_server/doc/src/notes.xml
lib/test_server/vsn.mk
lib/webtool/doc/src/notes.xml
lib/webtool/vsn.mk
|
|
|
|
|
|
* legoscia/tls_ipv6_dist:
Add inet6_tls_dist, for TLS distribution over IPv6
Conflicts:
lib/ssl/src/ssl_tls_dist_proxy.erl
OTP-13391
|
|
|
|
* legoscia/critical-extension-verify-none:
ssl: with verify_none, accept critical extensions
OTP-13377
|
|
|
|
Make sure that options only relevant for one role (client|server) is set
to undefined when the other role is invoked. As there are many options to
ssl, and many are optional, we choose to filter out all undefined options
to avoid overwhelming the user with not relevant information.
This way there is no need for any special handling of the role specific options
which is also nice.
|
|
* ia/ssl/remove-default-DES/OTP-13195:
ssl: Remove DES ciphers from default configuration
|
|
DES is not considered secure.
Also correct 'Server Name Indication' support description.
|
|
* legoscia/ssl-doc-typos:
Fix typos in ssl.xml
OTP-13339
|
|
|
|
When establishing a TLS connection with {verify, verify_none}, if the
server has a certificate with a critical extension, for example a
"Netscape Cert Type" extension, certificate verification would fail,
which is surprising given that the name of the option suggests that no
verification would be performed.
With this change, certificate extensions marked as critical are
ignored when using verify_none.
|
|
Generalise much of inet_tls_dist, so that inet6_tls_dist can reuse it.
|
|
|
|
|
|
|
|
* ia/ssl/max-sessions/OTP-12392:
ssl: Fix documentation mistakes
ssl: Add upper limit for session cache
ssl: Measure elapsed time with erlang:monotonic_time
|
|
|
|
Conflicts:
OTP_VERSION
erts/doc/src/notes.xml
erts/vsn.mk
lib/kernel/doc/src/notes.xml
lib/kernel/src/kernel.appup.src
lib/kernel/vsn.mk
lib/ssl/doc/src/notes.xml
lib/ssl/src/ssl.appup.src
lib/ssl/src/ssl_cipher.erl
lib/ssl/vsn.mk
otp_versions.table
|
|
If upper limit is reached invalidate the current cache entries, e.i the session
lifetime is the max time a session will be keept, but it may be invalidated
earlier if the max limit for the table is reached. This will keep the ssl
manager process well behaved, not exhusting memeory. Invalidating the entries
will incrementally empty the cache to make room for fresh sessions entries.
|
|
|
|
|
|
|
|
Add possibility to downgrade an SSL/TLS connection to a tcp connection,
and give back the socket control to a user process.
Add application setting to be able to change fatal alert shutdown
timeout, also shorten the default timeout. The fatal alert timeout is
the number of milliseconds between sending of a fatal alert and
closing the connection. Waiting a little while improves the
peers chances to properly receiving the alert so it may
shutdown gracefully.
|
|
Correct merge that went wrong.
|
|
|