aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/doc
AgeCommit message (Collapse)Author
2015-03-17ssl: Add TLS-ALPN supportLoïc Hoguin
This commit adds support for RFC7301, application-layer protocol negotiation. ALPN is the standard based approach to the NPN extension, and is required for HTTP/2. ALPN lives side by side with NPN and provides an equivalent feature but in this case it is the server that decides what protocol to use, not the client. When both ALPN and NPN are sent by a client, and the server is configured with both ALPN and NPN options, ALPN will always take precedence. This behavior can also be found in the OpenSSL implementation of ALPN. ALPN and NPN share the ssl:negotiated_protocol/1 function for retrieving the negotiated protocol. The previously existing function ssl:negotiated_next_protocol/1 still exists, but has been deprecated and removed from the documentation. The tests against OpenSSL require OpenSSL version 1.0.2+.
2015-03-09ssl: Integrate public_key CRL verification with the ssl applicationIngela Anderton Andin
2015-03-05Merge branch 'maint'Ingela Anderton Andin
Conflicts: lib/ssl/src/ssl_cipher.erl lib/ssl/test/ssl_basic_SUITE.erl
2015-03-02ssl: Implement support for TLS_FALLBACK_SCSVIngela Anderton Andin
2015-02-06Merge branch 'maint'Ingela Anderton Andin
Conflicts: lib/ssl/doc/src/ssl_app.xml lib/ssl/src/ssl_manager.erl
2015-02-06ssl: Improve PEM cache by validating entriesIngela Anderton Andin
The PEM cache is now validated by a background process, instead of always keeping it if it is small enough and clearing it otherwhiss. That strategy required that small caches where cleared by API function if a file changes on disk. However document the clearing API function as it can still be usefull.
2015-01-23ssl: Reenable padding check for TLS-1.0 and provide backwards compatibleIngela Anderton Andin
disable option
2015-01-23ssl: Remove sslv3 from the default supported protocol versionsIngela Anderton Andin
2015-01-23ssl: Reenable padding check for TLS-1.0 and provide backwards compatibleIngela Anderton Andin
disable option Conflicts: lib/ssl/src/ssl_cipher.erl lib/ssl/src/ssl_record.erl lib/ssl/src/tls_record.erl lib/ssl/test/ssl_cipher_SUITE.erl
2014-12-10Merge tag 'OTP-17.4'Marcus Arendt
=== OTP-17.4 === Changed Applications: - asn1-3.0.3 - common_test-1.9 - compiler-5.0.3 - crypto-3.4.2 - debugger-4.0.2 - dialyzer-2.7.3 - diameter-1.8 - edoc-0.7.16 - eldap-1.1 - erl_docgen-0.3.7 - erl_interface-3.7.20 - erts-6.3 - eunit-2.2.9 - hipe-3.11.2 - inets-5.10.4 - jinterface-1.5.12 - kernel-3.1 - megaco-3.17.3 - mnesia-4.12.4 - observer-2.0.3 - odbc-2.10.22 - otp_mibs-1.0.10 - parsetools-2.0.12 - percept-0.8.10 - runtime_tools-1.8.15 - snmp-5.1.1 - ssh-3.1 - ssl-5.3.8 - stdlib-2.3 - syntax_tools-1.6.17 - test_server-3.7.2 - tools-2.7.1 - wx-1.3.2 Unchanged Applications: - cosEvent-2.1.15 - cosEventDomain-1.1.14 - cosFileTransfer-1.1.16 - cosNotification-1.1.21 - cosProperty-1.1.17 - cosTime-1.1.14 - cosTransactions-1.2.14 - et-1.5 - gs-1.5.16 - ic-4.3.6 - orber-3.7.1 - os_mon-2.3 - ose-1.0.2 - public_key-0.22.1 - reltool-0.6.6 - sasl-2.4.1 - typer-0.9.8 - webtool-0.8.10 - xmerl-1.3.7 Conflicts: OTP_VERSION erts/vsn.mk
2014-12-09Prepare releaseErlang/OTP
2014-10-15Merge branch 'maint'Hans Nilsson
2014-10-15Merge branch 'maint-17' into maintBruce Yinhe
Conflicts: OTP_VERSION
2014-10-13Merge branch 'ia/ssl/seperate-clinet-server-session-table/OTP-11365'Ingela Anderton Andin
* ia/ssl/seperate-clinet-server-session-table/OTP-11365: ssl: Separate session cache for client and server
2014-10-13ssl: Separate session cache for client and serverIngela Anderton Andin
Even though in the most common case an erlang node will not be both client and server, it may happen (for instance when running the erlang ditribution over TLS). Also try to mitigate the affect of dumb clients that could cause a very lagre session cache on the client side that can cause long delays in the client. The server will have other means to handle a large session table and will not do any select operations on it anyhow.
2014-10-13Update release notesErlang/OTP
2014-10-06Merge branch 'maint'Ingela Anderton Andin
2014-10-03ssl: Fix link error in documentationIngela Anderton Andin
2014-09-17Merge tag 'OTP-17.3'Henrik Nord
=== OTP-17.3 === Changed Applications: - asn1-3.0.2 - common_test-1.8.2 - compiler-5.0.2 - crypto-3.4.1 - dialyzer-2.7.2 - diameter-1.7.1 - edoc-0.7.15 - erl_docgen-0.3.6 - erl_interface-3.7.18 - erts-6.2 - eunit-2.2.8 - hipe-3.11.1 - ic-4.3.6 - inets-5.10.3 - jinterface-1.5.10 - kernel-3.0.3 - megaco-3.17.2 - mnesia-4.12.3 - observer-2.0.2 - odbc-2.10.21 - os_mon-2.3 - ose-1.0.1 - public_key-0.22.1 - sasl-2.4.1 - snmp-5.1 - ssh-3.0.5 - ssl-5.3.6 - stdlib-2.2 - tools-2.7 - wx-1.3.1 Unchanged Applications: - cosEvent-2.1.15 - cosEventDomain-1.1.14 - cosFileTransfer-1.1.16 - cosNotification-1.1.21 - cosProperty-1.1.17 - cosTime-1.1.14 - cosTransactions-1.2.14 - debugger-4.0.1 - eldap-1.0.3 - et-1.5 - gs-1.5.16 - orber-3.7 - otp_mibs-1.0.9 - parsetools-2.0.11 - percept-0.8.9 - reltool-0.6.6 - runtime_tools-1.8.14 - syntax_tools-1.6.16 - test_server-3.7.1 - typer-0.9.8 - webtool-0.8.10 - xmerl-1.3.7 Conflicts: OTP_VERSION erts/vsn.mk
2014-09-15Update release notesErlang/OTP
2014-09-10Merge branch 'maint'Ingela Anderton Andin
2014-09-09ssl, public_key: Add new option partial_chainIngela Anderton Andin
Check that the certificate chain ends with a trusted ROOT CA e.i. a self-signed certificate, but provide an option partial_chain to enable the application to define an intermediat CA as trusted. TLS RFC says: "unknown_ca A valid certificate chain or partial chain was received, but the certificate was not accepted because the CA certificate could not be located or couldn't be matched with a known, trusted CA. This message is always fatal." and also states: "certificate_list This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case." X509 RFC says: "The selection of a trust anchor is a matter of policy: it could be the top CA in a hierarchical PKI, the CA that issued the verifier's own certificate(s), or any other CA in a network PKI. The path validation procedure is the same regardless of the choice of trust anchor. In addition, different applications may rely on different trust anchors, or may accept paths that begin with any of a set of trust anchors."
2014-09-03ssl: implement AES128-GCM suitesAndreas Schultz
2014-08-25Fix misspellings of 'another'Tuncer Ayaz
2014-06-19Prepare releaseErlang/OTP
2014-04-07Update release notesErlang/OTP
2014-03-31ssl: Add possibility to specify ssl options when calling ssl:ssl_acceptIngela Anderton Andin
2014-03-03ssl: Improved documentation of the cacertfile optionIngela Anderton Andin
2014-01-28Merge branch 'ia/Vagabond/adt-honor-cipher-order/OTP-11621'Ingela Anderton Andin
* ia/Vagabond/adt-honor-cipher-order/OTP-11621: Implement 'honor_cipher_order' SSL server-side option
2014-01-24Merge tag 'OTP_R16B03-1'Magnus Lidén
The R16B03-1 release
2014-01-24Prepare releaseOTP_R16B03-1Erlang/OTP
2014-01-21Implement 'honor_cipher_order' SSL server-side optionAndrew Thompson
HonorCipherOrder as implemented in Apache, nginx, lighttpd, etc. This instructs the server to prefer its own cipher ordering rather than the client's and can help protect against things like BEAST while maintaining compatability with clients which only support older ciphers. This code is mostly written by Andrew Thompson, only the test case was added by Andreas Schultz.
2013-12-10Merge tag 'OTP_R16B03'Magnus Lidén
The R16B03 release Conflicts: lib/sasl/vsn.mk
2013-12-09Prepare releaseOTP_R16B03Erlang/OTP
2013-11-20Merge branch 'maint'Hans Nilsson
2013-11-19ftp,ssl: Fixes broken type link (ssloption).Hans Nilsson
2013-11-11Merge branch 'maint'Fredrik Gustafsson
2013-11-06Update documentationJulien Barbot
2013-11-06Add a new server_name_indication option to ssl:connectJulien Barbot
- Set to disable to explicitly disable SNI support. - Set to a hostname when upgrading from TCP to TLS.
2013-11-06Add SSL Server Name Indication (SNI) client supportJulien Barbot
See RFC 6066 section 3
2013-11-04Merge branch 'maint'Fredrik Gustafsson
2013-11-01Fix client_preferred_next_protocols documentationJulien Barbot
2013-09-17Merge tag 'OTP_R16B02'Magnus Lidén
The R16B02 release Conflicts: lib/sasl/vsn.mk
2013-09-16Prepare releaseOTP_R16B02Erlang/OTP
2013-08-28Merge branch 'maint'Fredrik Gustafsson
2013-08-27ssl: documentation regarding log_alertFredrik Gustafsson
2013-08-23Merge branch 'maint'Fredrik Gustafsson
2013-08-23Merge branch 'maint-r15' into maint-r16Fredrik Gustafsson
Conflicts: lib/inets/doc/src/notes.xml lib/inets/src/http_lib/http_transport.erl lib/inets/src/inets_app/inets.appup.src lib/inets/vsn.mk lib/ssl/doc/src/notes.xml lib/ssl/src/ssl.appup.src lib/ssl/src/ssl.erl lib/ssl/src/ssl_internal.hrl lib/ssl/src/tls_connection.erl lib/ssl/vsn.mk
2013-08-21Update release notesErlang/OTP
2013-06-18Merge tag 'OTP_R16B01'Björn-Egil Dahlberg
The R16B01 release Conflicts: lib/sasl/vsn.mk