aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/doc
AgeCommit message (Collapse)Author
2017-03-31Update release notesErlang/OTP
2017-03-14Prepare releaseErlang/OTP
2017-03-10Update copyright yearRickard Green
2017-02-21Document ssl_session_cache_api's size/1 callbackSteven Danna
The size/1 callback was added as a non-optional callback in 42b8a29dbae1d626f32bc16dd81a129caf741138 but wasn't added to the documentation for the ssl_session_cache_api behavior. Signed-off-by: Steven Danna <[email protected]>
2017-01-17ssl: Handle really big handshake packagesIngela Anderton Andin
If a handshake message is really big it could happen that the ssl process would hang due to failing of requesting more data from the socket. This has been fixed. Also added option to limit max handshake size. It has a default value that should be big enough to handle normal usage and small enough to mitigate DoS attacks.
2016-12-09Prepare releaseErlang/OTP
2016-12-07Update copyright-yearErlang/OTP
2016-11-07Merge branch 'ferd/ssl-allow-ecc-config/PR-1210/OTP-13959' into maintIngela Anderton Andin
* ferd/ssl-allow-ecc-config/PR-1210/OTP-13959: Add ECC curve selection order config in TLS server
2016-11-02Add ECC curve selection order config in TLS serverFred Hebert
As per RFC 4492 Sec 5.1, the preferred order of selection of named curves is based on client preferences. Currently, the SSL application only picks entries according to the absolute order of entries as tracked in a hardcoded list in code. This patch changes things so that the client-specified order is preferred. It also allows a mode where the server can be configured to override the client's preferred order with its own, although the chosen ECC must still be within both lists. The configuration is done through the following options: - `eccs`, shared by clients and servers alike, allows the specification of the supported named curves, in their preferred order, and may eventually support more values for explicit primes and so on. - `honor_ecc_order`, a server-only option, is similar to `honor_cipher_order` and will, by default let the server pick the client-preferred ECC, and otherwise pick the server-preferred one. The default value for `eccs` is the same as before, although the server-chosen ECC now defaults to the client rather than previous choice. A function `ssl:eccs()` has been added that returns the highest supported ECCs for the library.
2016-10-27Correct spelling error in ssl_distribution.xmlTrevor Brown
Correct "...an exra distribution..." to "...an extra distribution...".
2016-10-05ssl: Adjust cipher type to conform to implementationIngela Anderton Andin
2016-09-28Update release notesErlang/OTP
2016-09-20Prepare releaseErlang/OTP
2016-09-12Merge branch 'ferd/bypass-pem-cache/PR-1143/OTP-13883' into maintIngela Anderton Andin
* ferd/bypass-pem-cache/PR-1143/OTP-13883: ssl: Add documentation of bypass_pem_cache application environment configuration ssl: Add new benchmarks to skip file for normal testing Adding PEM cache bypass benchmark entries Fixing CRL searching in cache bypass Add option to bypass SSL PEM cache
2016-09-12ssl: Add documentation of bypass_pem_cache application environment configurationIngela Anderton Andin
2016-09-01doc: Correct errors introduced by Editorial changesHans Bolinder
Fix some older errors as well.
2016-08-08Prepare releaseErlang/OTP
2016-06-21Prepare releaseErlang/OTP
2016-06-17ssl: Extend list of supported featuresIngela Anderton Andin
Note these where supported before ssl-8.0
2016-06-17Merge branch 'shlonny/add-asn1-app-to-ssl-distribution-doc/PR-1101'Ingela Anderton Andin
* shlonny/add-asn1-app-to-ssl-distribution-doc/PR-1101: added asn1 to applications needed for start_ssl
2016-06-16ssl: Fix Xmllint errorsIngela Anderton Andin
2016-06-14added asn1 to applications needed for start_sslJohn
2016-06-14Merge branch 'legoscia/ssl_crl_hash_dir-bis/PR-982/OTP-13530'Ingela Anderton Andin
* legoscia/ssl_crl_hash_dir-bis/PR-982/OTP-13530: Skip crl_hash_dir_expired test for LibreSSL Add ssl_crl_hash_dir module Function for generating OpenSSL-style name hashes Add public_key:pkix_match_dist_point Improve formatting for crl_{check,cache} options Add issuer arg to ssl_crl_cache_api lookup callback Conflicts: lib/public_key/test/public_key_SUITE.erl
2016-06-14Merge branch 'maint'Henrik Nord
Conflicts: OTP_VERSION lib/inets/vsn.mk lib/ssl/test/ssl_basic_SUITE.erl lib/ssl/vsn.mk
2016-06-13Update release notesErlang/OTP
2016-06-09Add ssl:getstat/1 and ssl:getstat/2Loïc Hoguin
These functions call getstat on the underlying TCP socket. The only way to do this before now was to use a hack, either by looking inside the #sslsocket{} record directly, or by not using the SSL listen/accept functions and upgrading from a TCP socket that is kept around for the purpose of calling getstat later on.
2016-06-07Merge branch 'ingela/ssl/phase-out-sslv2-hello/OTP-13465'Ingela Anderton Andin
* ingela/ssl/phase-out-sslv2-hello/OTP-13465: ssl: Add option to phase out support for sslv2 client hello
2016-06-03ssl: Add option to phase out support for sslv2 client helloIngela Anderton Andin
ssl servers can recognize sslv2 client hellos to interop with clients that support higher version of SSL/TLS but also offers sslv2 Conflicts: lib/ssl/src/tls_connection.erl
2016-06-03Move misplaced period in ssl documentationKenneth Lakin
2016-06-02Revert "Prepare release"Erlang/OTP
This reverts commit e020f75c10410a6943cd055bfa072a2641eab7da.
2016-06-02Prepare releaseErlang/OTP
2016-06-01Merge branch 'legoscia/ssl/tls-dist-more-opts/PR-956/OTP-13429'Raimo Niskanen
* legoscia/ssl/tls-dist-more-opts/PR-956/OTP-13429: Quote curly brackets in command line options Avoid disappearing ETS tables in ssl_dist_SUITE Fix db handle for TLS distribution crl_cache opts Fix ssl_dist_SUITE logging on Windows More logging in ssl_dist_SUITE TLS distribution: crl_check and crl_cache options Allow passing verify_fun for TLS distribution More informative malformed_ssl_dist_opt error
2016-05-27Merge branch 'ingela/ssl/doc-enhancment/ERL-131'Ingela Anderton Andin
* ingela/ssl/doc-enhancment/ERL-131: ssl: Add default values and clarifications
2016-05-27ssl: Add default values and clarificationsIngela Anderton Andin
2016-05-26ssl: Add BEAST mitigation selection optionKenneth Lakin
Some legacy TLS 1.0 software does not tolerate the 1/n-1 content split BEAST mitigation technique. This commit adds a beast_mitigation SSL option (defaulting to one_n_minus_one) to select or disable the BEAST mitigation technique. Valid option values are (one_n_minus_one | zero_n | disabled).
2016-05-12Revert "Prepare release"Erlang/OTP
This reverts commit bd64ad8e15d66e48b36dbe3584315dd5cfc8b59a.
2016-05-11Prepare releaseErlang/OTP
2016-05-04Merge branch 'maint-18'Henrik Nord
Conflicts: OTP_VERSION lib/common_test/test/ct_hooks_SUITE_data/cth/tests/ct_update_config_SUITE.erl lib/common_test/vsn.mk
2016-05-03Prepare releaseErlang/OTP
2016-04-27Merge branch 'maint-18'Henrik Nord
Conflicts: OTP_VERSION lib/ssl/doc/src/ssl.xml lib/ssl/src/ssl_cipher.erl lib/ssl/src/tls_v1.erl lib/ssl/test/ssl_basic_SUITE.erl
2016-04-26Update release notesErlang/OTP
2016-04-13Merge branch 'henrik/update-copyrightyear'Henrik Nord
* henrik/update-copyrightyear: update copyright-year
2016-04-06ssl: Add option signature_algsIngela Anderton Andin
In TLS-1.2 The signature algorithm and the hash function algorithm used to produce the digest that is used when creating the digital signature may be negotiated through the signature algorithm extension RFC 5246. We want to make these algorithm pairs configurable. In connections using lower versions of TLS these algorithms are implicit defined and can not be negotiated or configured. DTLS is updated to not cause dialyzer errors, but needs to get a real implementation later.
2016-04-06ssl: Remove default support for use of md5 in TLS 1.2 signature algorithmsIngela Anderton Andin
2016-04-06ssl: Add option signature_algsIngela Anderton Andin
In TLS-1.2 The signature algorithm and the hash function algorithm used to produce the digest that is used when creating the digital signature may be negotiated through the signature algorithm extension RFC 5246. We want to make these algorithm pairs configurable. In connections using lower versions of TLS these algorithms are implicit defined and can not be negotiated or configured. DTLS is updated to not cause dialyzer errors, but needs to get a real implementation later.
2016-04-05Add ssl_crl_hash_dir moduleMagnus Henoch
This module is an implementation of the ssl_crl_cache_api behaviour. It can be used when there is a directory containing CRLs for all relevant CAs, in the form used by e.g. Apache. The module assumes that the directory is being updated through an external process.
2016-04-01Improve formatting for crl_{check,cache} optionsMagnus Henoch
2016-04-01Add issuer arg to ssl_crl_cache_api lookup callbackMagnus Henoch
Change the ssl_crl_cache_api callback specification, passing the certificate issuer name as an argument to the lookup callback function. Support the previous API too, for the time being. The purpose of this change is to accomodate CRL cache modules that index CRLs by issuer name, not by distribution point URL. While in most cases such lookups could be performed using the select/2 callback function, that doesn't work when the CRL in question contains an Issuing Distribution Point (IDP) extension, since RFC 5280 specifies different processing rules for CRLs specified in a distribution point (DP) and other CRLs. For the latter, a DP is assumed that most likely will not match the IDP of the CRL. In order to accommodate cache modules that index CRLs by issuer name, let's pass them the issuer as well.
2016-03-23Fix transportoption, ssloption, ssloptions types names in the documentationdef_null
2016-03-17TLS distribution: crl_check and crl_cache optionsMagnus Henoch
Allow specifying the crl_check and crl_cache options for TLS distribution connections.