| Age | Commit message (Collapse) | Author | 
|---|
|  | * maint-20:
  Updated OTP version
  Update release notes
  Update version numbers
  public_key: verify ip (both v4 and v6)
  public_key: Added IP4 address checks to hostname_verification tests
  ssl: Fix test cases to work on all test platforms
  public_key: Fix dialyzer spec
  ssl: Sessions must be registered with SNI if exists
  ssl: Extend hostname check to fallback to checking IP-address
  public_key, ssl: Handles keys so that APIs are preserved correctly
  ssl: Use ?FUNCTION_NAME
  ssl: Prepare for release
  ssl: Countermeasurements for Bleichenbacher attack
Conflicts:
	lib/public_key/doc/src/public_key.xml
	lib/public_key/test/public_key_SUITE.erl
	lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem
	lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf
	lib/ssl/src/dtls_connection.erl
	lib/ssl/src/ssl_connection.erl
	lib/ssl/src/ssl_handshake.erl | 
|  | === OTP-18.3.4.1.1 ===
Changed Applications:
- ssl-7.3.3.0.1
Unchanged Applications:
- asn1-4.0.2
- common_test-1.12.1
- compiler-6.0.3
- cosEvent-2.2
- cosEventDomain-1.2
- cosFileTransfer-1.2
- cosNotification-1.2.1
- cosProperty-1.2
- cosTime-1.2.1
- cosTransactions-1.3.1
- crypto-3.6.3
- debugger-4.1.2
- dialyzer-2.9
- diameter-1.11.2
- edoc-0.7.18
- eldap-1.2.1
- erl_docgen-0.4.2
- erl_interface-3.8.2
- erts-7.3.1
- et-1.5.1
- eunit-2.2.13
- gs-1.6
- hipe-3.15
- ic-4.4
- inets-6.2.4
- jinterface-1.6.1
- kernel-4.2
- megaco-3.18
- mnesia-4.13.4
- observer-2.1.2
- odbc-2.11.1
- orber-3.8.1
- os_mon-2.4
- ose-1.1
- otp_mibs-1.1
- parsetools-2.1.1
- percept-0.8.11
- public_key-1.1.1
- reltool-0.7
- runtime_tools-1.9.3
- sasl-2.7
- snmp-5.2.2
- ssh-4.2.2.1
- stdlib-2.8
- syntax_tools-1.7
- test_server-3.10
- tools-2.8.3
- typer-0.9.10
- webtool-0.9.1
- wx-1.6.1
- xmerl-1.3.10
Conflicts:
	OTP_VERSION
	lib/ssl/vsn.mk
	otp_versions.table | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  | * lukas/docs/xmllint_fixes/OTP-14721:
  ssl/ssh: Remove/ignore unused XML_FILES doc files
  Refactor xmllint check and make it fail on failure
  Add toplevel xmllint make target
Conflicts:
	lib/crypto/doc/src/Makefile | 
|  |  | 
|  |  | 
|  | If no SNI is available and the hostname is an IP-address also check
for IP-address match. This check is not as good as a DNS hostname check
and certificates using IP-address are not recommended. | 
|  |  | 
|  | This commit also adds a check to see that all files that
are part of an xi:include also have part of XML_FILES
and vice versa. It also fixes any applications where this
was not true. | 
|  | If no SNI is available and the hostname is an IP-address also check
for IP-address match. This check is not as good as a DNS hostname check
and certificates using IP-address are not recommended. | 
|  | * lars/doc-cleanup/OTP-14475:
  [edoc] Remove unused module otpsgml_layout.erl
  Remove unused files from the documentation build | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  | This reverts commit eaf8ca41dfa4850437ad270d3897399c9358ced0. | 
|  |  | 
|  | Conflicts:
	OTP_VERSION
	lib/inets/vsn.mk
	lib/ssl/vsn.mk | 
|  |  | 
|  | When the server_name_indication is sent automatize the
clients check of that the hostname is present in the
servers certificate. Currently server_name_indication shall
be on the dns_id format. If server_name_indication is disabled
it is up to the user to do its own check in the verify_fun. | 
|  | This reverts commit dc57404252c47520f352834ad9be45ad684f96c9. | 
|  |  | 
|  |  | 
|  | Commit 87584ae85893df917ca83cb0c40748fd4da0f3bc added missing release note
but not in the correct place. | 
|  |  | 
|  | Conflicts:
	OTP_VERSION
	erts/vsn.mk
	lib/crypto/c_src/crypto.c
	lib/crypto/src/crypto.erl
	lib/ssh/src/ssh.erl | 
|  |  | 
|  | Add session_id and remove undocumented ssl:session_info/1
Add client_random, server_random and master_secret, they will not be included
in ssl:connection_information/1 as they may affect the connections security if
used recklessly. | 
|  | * maint:
  Updated OTP version
  Prepare release
Conflicts:
	OTP_VERSION
	lib/typer/doc/src/notes.xml
	lib/typer/vsn.mk | 
|  |  | 
|  |  | 
|  | The size/1 callback was added as a non-optional callback in
42b8a29dbae1d626f32bc16dd81a129caf741138 but wasn't added to the
documentation for the ssl_session_cache_api behavior.
Signed-off-by: Steven Danna <[email protected]> | 
|  | If a handshake message is really big it could happen that the ssl
process would hang due to failing of requesting more data from the
socket. This has been fixed.
Also added option to limit max handshake size. It has a default
value that should be big enough to handle normal usage and small
enough to mitigate DoS attacks. | 
|  |  | 
|  |  | 
|  | * ferd/ssl-allow-ecc-config/PR-1210/OTP-13959:
  Add ECC curve selection order config in TLS server | 
|  | As per RFC 4492 Sec 5.1, the preferred order of selection of named
curves is based on client preferences.
Currently, the SSL application only picks entries according to the
absolute order of entries as tracked in a hardcoded list in code.
This patch changes things so that the client-specified order is
preferred. It also allows a mode where the server can be configured to
override the client's preferred order with its own, although the chosen
ECC must still be within both lists.
The configuration is done through the following options:
- `eccs`, shared by clients and servers alike, allows the specification
  of the supported named curves, in their preferred order, and may
  eventually support more values for explicit primes and so on.
- `honor_ecc_order`, a server-only option, is similar to
  `honor_cipher_order` and will, by default let the server pick the
  client-preferred ECC, and otherwise pick the server-preferred one.
The default value for `eccs` is the same as before, although the
server-chosen ECC now defaults to the client rather than previous
choice.
A function `ssl:eccs()` has been added that returns the highest
supported ECCs for the library. | 
|  | Correct "...an exra distribution..." to "...an extra distribution...". | 
|  |  | 
|  |  | 
|  |  | 
|  | * ferd/bypass-pem-cache/PR-1143/OTP-13883:
  ssl: Add documentation of bypass_pem_cache application environment configuration
  ssl: Add new benchmarks to skip file for normal testing
  Adding PEM cache bypass benchmark entries
  Fixing CRL searching in cache bypass
  Add option to bypass SSL PEM cache | 
|  |  | 
|  | Fix some older errors as well. | 
|  |  | 
|  |  |