aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/doc
AgeCommit message (Collapse)Author
2016-08-08Prepare releaseErlang/OTP
2016-06-21Prepare releaseErlang/OTP
2016-06-17ssl: Extend list of supported featuresIngela Anderton Andin
Note these where supported before ssl-8.0
2016-06-17Merge branch 'shlonny/add-asn1-app-to-ssl-distribution-doc/PR-1101'Ingela Anderton Andin
* shlonny/add-asn1-app-to-ssl-distribution-doc/PR-1101: added asn1 to applications needed for start_ssl
2016-06-16ssl: Fix Xmllint errorsIngela Anderton Andin
2016-06-14added asn1 to applications needed for start_sslJohn
2016-06-14Merge branch 'legoscia/ssl_crl_hash_dir-bis/PR-982/OTP-13530'Ingela Anderton Andin
* legoscia/ssl_crl_hash_dir-bis/PR-982/OTP-13530: Skip crl_hash_dir_expired test for LibreSSL Add ssl_crl_hash_dir module Function for generating OpenSSL-style name hashes Add public_key:pkix_match_dist_point Improve formatting for crl_{check,cache} options Add issuer arg to ssl_crl_cache_api lookup callback Conflicts: lib/public_key/test/public_key_SUITE.erl
2016-06-14Merge branch 'maint'Henrik Nord
Conflicts: OTP_VERSION lib/inets/vsn.mk lib/ssl/test/ssl_basic_SUITE.erl lib/ssl/vsn.mk
2016-06-13Update release notesErlang/OTP
2016-06-09Add ssl:getstat/1 and ssl:getstat/2Loïc Hoguin
These functions call getstat on the underlying TCP socket. The only way to do this before now was to use a hack, either by looking inside the #sslsocket{} record directly, or by not using the SSL listen/accept functions and upgrading from a TCP socket that is kept around for the purpose of calling getstat later on.
2016-06-07Merge branch 'ingela/ssl/phase-out-sslv2-hello/OTP-13465'Ingela Anderton Andin
* ingela/ssl/phase-out-sslv2-hello/OTP-13465: ssl: Add option to phase out support for sslv2 client hello
2016-06-03ssl: Add option to phase out support for sslv2 client helloIngela Anderton Andin
ssl servers can recognize sslv2 client hellos to interop with clients that support higher version of SSL/TLS but also offers sslv2 Conflicts: lib/ssl/src/tls_connection.erl
2016-06-03Move misplaced period in ssl documentationKenneth Lakin
2016-06-02Revert "Prepare release"Erlang/OTP
This reverts commit e020f75c10410a6943cd055bfa072a2641eab7da.
2016-06-02Prepare releaseErlang/OTP
2016-06-01Merge branch 'legoscia/ssl/tls-dist-more-opts/PR-956/OTP-13429'Raimo Niskanen
* legoscia/ssl/tls-dist-more-opts/PR-956/OTP-13429: Quote curly brackets in command line options Avoid disappearing ETS tables in ssl_dist_SUITE Fix db handle for TLS distribution crl_cache opts Fix ssl_dist_SUITE logging on Windows More logging in ssl_dist_SUITE TLS distribution: crl_check and crl_cache options Allow passing verify_fun for TLS distribution More informative malformed_ssl_dist_opt error
2016-05-27Merge branch 'ingela/ssl/doc-enhancment/ERL-131'Ingela Anderton Andin
* ingela/ssl/doc-enhancment/ERL-131: ssl: Add default values and clarifications
2016-05-27ssl: Add default values and clarificationsIngela Anderton Andin
2016-05-26ssl: Add BEAST mitigation selection optionKenneth Lakin
Some legacy TLS 1.0 software does not tolerate the 1/n-1 content split BEAST mitigation technique. This commit adds a beast_mitigation SSL option (defaulting to one_n_minus_one) to select or disable the BEAST mitigation technique. Valid option values are (one_n_minus_one | zero_n | disabled).
2016-05-12Revert "Prepare release"Erlang/OTP
This reverts commit bd64ad8e15d66e48b36dbe3584315dd5cfc8b59a.
2016-05-11Prepare releaseErlang/OTP
2016-05-04Merge branch 'maint-18'Henrik Nord
Conflicts: OTP_VERSION lib/common_test/test/ct_hooks_SUITE_data/cth/tests/ct_update_config_SUITE.erl lib/common_test/vsn.mk
2016-05-03Prepare releaseErlang/OTP
2016-04-27Merge branch 'maint-18'Henrik Nord
Conflicts: OTP_VERSION lib/ssl/doc/src/ssl.xml lib/ssl/src/ssl_cipher.erl lib/ssl/src/tls_v1.erl lib/ssl/test/ssl_basic_SUITE.erl
2016-04-26Update release notesErlang/OTP
2016-04-13Merge branch 'henrik/update-copyrightyear'Henrik Nord
* henrik/update-copyrightyear: update copyright-year
2016-04-06ssl: Add option signature_algsIngela Anderton Andin
In TLS-1.2 The signature algorithm and the hash function algorithm used to produce the digest that is used when creating the digital signature may be negotiated through the signature algorithm extension RFC 5246. We want to make these algorithm pairs configurable. In connections using lower versions of TLS these algorithms are implicit defined and can not be negotiated or configured. DTLS is updated to not cause dialyzer errors, but needs to get a real implementation later.
2016-04-06ssl: Remove default support for use of md5 in TLS 1.2 signature algorithmsIngela Anderton Andin
2016-04-06ssl: Add option signature_algsIngela Anderton Andin
In TLS-1.2 The signature algorithm and the hash function algorithm used to produce the digest that is used when creating the digital signature may be negotiated through the signature algorithm extension RFC 5246. We want to make these algorithm pairs configurable. In connections using lower versions of TLS these algorithms are implicit defined and can not be negotiated or configured. DTLS is updated to not cause dialyzer errors, but needs to get a real implementation later.
2016-04-05Add ssl_crl_hash_dir moduleMagnus Henoch
This module is an implementation of the ssl_crl_cache_api behaviour. It can be used when there is a directory containing CRLs for all relevant CAs, in the form used by e.g. Apache. The module assumes that the directory is being updated through an external process.
2016-04-01Improve formatting for crl_{check,cache} optionsMagnus Henoch
2016-04-01Add issuer arg to ssl_crl_cache_api lookup callbackMagnus Henoch
Change the ssl_crl_cache_api callback specification, passing the certificate issuer name as an argument to the lookup callback function. Support the previous API too, for the time being. The purpose of this change is to accomodate CRL cache modules that index CRLs by issuer name, not by distribution point URL. While in most cases such lookups could be performed using the select/2 callback function, that doesn't work when the CRL in question contains an Issuing Distribution Point (IDP) extension, since RFC 5280 specifies different processing rules for CRLs specified in a distribution point (DP) and other CRLs. For the latter, a DP is assumed that most likely will not match the IDP of the CRL. In order to accommodate cache modules that index CRLs by issuer name, let's pass them the issuer as well.
2016-03-23Fix transportoption, ssloption, ssloptions types names in the documentationdef_null
2016-03-17TLS distribution: crl_check and crl_cache optionsMagnus Henoch
Allow specifying the crl_check and crl_cache options for TLS distribution connections.
2016-03-17Allow passing verify_fun for TLS distributionMagnus Henoch
Accept a value of the form {Module, Function, State} from the command line. This is different from the {Fun, State} that ssl:connect etc expect, since there's no clean way to parse a fun from a command line argument.
2016-03-15update copyright-yearHenrik Nord
2016-03-15Merge tag 'OTP-18.3'Lars Thorsen
=== OTP-18.3 === Changed Applications: - asn1-4.0.2 - common_test-1.12 - compiler-6.0.3 - cosNotification-1.2.1 - cosTime-1.2.1 - cosTransactions-1.3.1 - crypto-3.6.3 - debugger-4.1.2 - dialyzer-2.9 - diameter-1.11.2 - edoc-0.7.18 - eldap-1.2.1 - erl_docgen-0.4.2 - erl_interface-3.8.2 - erts-7.3 - eunit-2.2.13 - hipe-3.15 - inets-6.2 - kernel-4.2 - mnesia-4.13.3 - observer-2.1.2 - orber-3.8.1 - public_key-1.1.1 - runtime_tools-1.9.3 - sasl-2.7 - snmp-5.2.2 - ssh-4.2.2 - ssl-7.3 - stdlib-2.8 - test_server-3.10 - tools-2.8.3 - webtool-0.9.1 - wx-1.6.1 - xmerl-1.3.10 Unchanged Applications: - cosEvent-2.2 - cosEventDomain-1.2 - cosFileTransfer-1.2 - cosProperty-1.2 - et-1.5.1 - gs-1.6 - ic-4.4 - jinterface-1.6.1 - megaco-3.18 - odbc-2.11.1 - os_mon-2.4 - ose-1.1 - otp_mibs-1.1 - parsetools-2.1.1 - percept-0.8.11 - reltool-0.7 - syntax_tools-1.7 - typer-0.9.10 Conflicts: OTP_VERSION erts/vsn.mk lib/test_server/doc/src/notes.xml lib/test_server/vsn.mk lib/webtool/doc/src/notes.xml lib/webtool/vsn.mk
2016-03-14Prepare releaseErlang/OTP
2016-03-02Merge branch 'maint'Henrik Nord
2016-03-02Merge branch 'legoscia/tls_ipv6_dist' into maintHenrik Nord
* legoscia/tls_ipv6_dist: Add inet6_tls_dist, for TLS distribution over IPv6 Conflicts: lib/ssl/src/ssl_tls_dist_proxy.erl OTP-13391
2016-02-25Merge branch 'maint'Henrik Nord
2016-02-25Merge branch 'legoscia/critical-extension-verify-none' into maintHenrik Nord
* legoscia/critical-extension-verify-none: ssl: with verify_none, accept critical extensions OTP-13377
2016-02-22Merge branch 'maint'Ingela Anderton Andin
2016-02-22ssl: Include options form connect/listen/accept in connection_information/[1,2]Ingela Anderton Andin
Make sure that options only relevant for one role (client|server) is set to undefined when the other role is invoked. As there are many options to ssl, and many are optional, we choose to filter out all undefined options to avoid overwhelming the user with not relevant information. This way there is no need for any special handling of the role specific options which is also nice.
2016-02-19Merge branch 'ia/ssl/remove-default-DES/OTP-13195'Ingela Anderton Andin
* ia/ssl/remove-default-DES/OTP-13195: ssl: Remove DES ciphers from default configuration
2016-02-18ssl: Remove DES ciphers from default configurationIngela Anderton Andin
DES is not considered secure. Also correct 'Server Name Indication' support description.
2016-02-18Merge branch 'legoscia/ssl-doc-typos' into maintHenrik Nord
* legoscia/ssl-doc-typos: Fix typos in ssl.xml OTP-13339
2016-02-18Fix typos in ssl.xmlMagnus Henoch
2016-02-17ssl: with verify_none, accept critical extensionsMagnus Henoch
When establishing a TLS connection with {verify, verify_none}, if the server has a certificate with a critical extension, for example a "Netscape Cert Type" extension, certificate verification would fail, which is surprising given that the name of the option suggests that no verification would be performed. With this change, certificate extensions marked as critical are ignored when using verify_none.
2016-02-02Add inet6_tls_dist, for TLS distribution over IPv6Magnus Henoch
Generalise much of inet_tls_dist, so that inet6_tls_dist can reuse it.