aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src/ssl.erl
AgeCommit message (Collapse)Author
2011-06-27Handle inet:getopts/2 and inet:setopts/2 crashesIngela Anderton Andin
2011-05-24Corrected last argument to timer:apply_after also corrected a dilyzer specIngela Anderton Andin
2011-05-16OTP-9094: [httpc] Add support for upload body streaming (PUT and POST).Micael Karlberg
Filipe David Manana OTP-9114: [ftp] Added (type) spec for all exported functions. OTP-9123: mod_esi:deliver/2 made to accept binary data. Bernard Duggan OTP-9124: [httpd] Prevent XSS in error pages. Michael Santos OTP-9131: [httpd] Wrong security property names used in documentation. Garrett Smith OTP-9157: [httpd] Improved error messages. Ricardo Catalinas Jim�nez OTP-9158: [httpd] Fix timeout message generated by mod_esi. Bernard Duggan OTP-9202: [httpd] Extended support for file descriptors. Attila Rajmund Nohl OTP-9230: The default ssl kind has now been changed to essl. OTP-9246: [httpc] httpc manager crash because of a handler retry race condition. Merge branch 'bmk/inets/inet56_integration' into dev
2011-05-12Calling gen_tcp:connect with option {ip, {127,0,0,1}} results in an exit withMicael Karlberg
reason badarg. Neither SSL nor INETS catches this, resulting in crashes with incomprehensible reasons. OTP-9289
2011-05-05Spec correctionsIngela Anderton Andin
2011-05-04Dialyzer spec fixIngela Anderton Andin
2011-04-29Changed iolist() to iodata()Ingela Anderton Andin
ssl:send/2 takes iodata() as a second argument. erlang:iolist_to_binary should really be called erlang:iodata_to_binary which caused the mismatch in the first place.
2011-03-24Implemented encode/decode support for ssh public key filesIngela Anderton Andin
2011-03-07Add the option { hibernate_after, int() } to ssl:connect and ssl:listenJeroen Koops
When making an SSL connection (either as client or as server), the process implementing the connection may use as much as hundreds of kilobytes of memory, even when idle. This is problematic for any application maintaining more than just a few SSL connections. This patch introduces the option { hibernate_after, int() } to the ssl:connect and ssl:listen functions, making the SSL connection process go into hibernation after the specified number of milliseconds of inactivity. This will reduce the memory used by the process to just a few hundred bytes, making applications with thousands or more SSL connections feasible, as long as most of the connections are idle for most of the time (which is typically the case). The approach of making the process go into hibernation only after some time of inactivity was chosen because hibernation incurs some CPU usage, and it is therefore not desirable for a process to hibernate after each call.
2011-02-22Corrected dialyzer specsIngela Anderton Andin
2011-02-11Added missing return value in dialyzer specs (ssl.erl)Ingela Anderton Andin
Suppressed dialyzer warnings with spec if possible to minimize clutter from this file belonging to old ssl.
2011-01-10Fixed Dialyzer specsIngela Anderton Andin
------------------------------------------------------------------------- ssl's published documentation states: ssl_accept(ListenSocket) -> ssl_accept(ListenSocket, Timeout) -> ok | {error, Reason} (see http://www.erlang.org/doc/man/ssl.html#ssl_accept-1) while its code has the specs: -spec ssl_accept(#sslsocket{}) -> {ok, #sslsocket{}} | {error, reason()}. -spec ssl_accept(#sslsocket{}, list() | timeout()) -> {ok, #sslsocket{}} | {error, reason()}. One of the two cannot be right. This should be fixed. Moreover, I do not see why the spec just mentions list() for the options when the documentation explicitly mentions the options of ssl. Kostis ---------------------------------------------------------------------
2010-10-07Anonymous cipher suitesIngela Anderton Andin
For testing purposes ssl now also support some anonymous cipher suites when explicitly configured to do so. Also moved session cache tests to its own suite, so that timeout of end_per_testcase when the mnesia is used as session cache will not affect other test cases.
2010-10-01Merge branch 'maint-r14' into devIngela Anderton Andin
Conflicts: lib/public_key/src/pubkey_cert.erl
2010-09-29Merge branch 'ia/ssl-and-public_key/verify_fun_peer_awarness/OTP-8873' into ↵Erlang/OTP
maint-r14 * ia/ssl-and-public_key/verify_fun_peer_awarness/OTP-8873: Peer awarness
2010-09-29Peer awarnessIngela Anderton Andin
Changed the verify fun so that it differentiate between the peer certificate and CA certificates by using valid_peer or valid as the second argument to the verify fun. It may not always be trivial or even possible to know when the peer certificate is reached otherwise.
2010-09-27Merge branch 'ia/ssl-and-public_key/backwards-compatibility/OTP-8858' into devIngela Anderton Andin
* ia/ssl-and-public_key/backwards-compatibility/OTP-8858: Backwards compatibility Conflicts: lib/ssl/src/ssl_certificate_db.erl Use short INFO-message. Debugging information can be fairly easily recreated so we do not want to clutter the logs.
2010-09-24Backwards compatibilityIngela Anderton Andin
Changed implementation to retain backwards compatibility for old option {verify, 0} that shall be equivalent to {verify, verify_none}, also separate the cases unknown CA and selfsigned peer cert, and restored return value of deprecated function public_key:pem_to_der/1.
2010-09-15Corrected and added dialyzer specsIngela Anderton Andin
2010-09-10Improved certificate extension handlingIngela Anderton Andin
Added the functionality so that the verification fun will be called when a certificate is considered valid by the path validation to allow access to eachs certificate in the path to the user application. Removed clause that only check that a extension is not critical, it does alter the verification rusult only withholds information from the application. Try to verify subject-AltName, if unable to verify it let application try.
2010-09-07Add missed DER dh option.Ingela Anderton Andin
2010-09-06Handling of path validation errors by the applicationIngela Anderton Andin
Changed the behavior of the verify_fun option so that the application can be responsible for handling path validation errors even on the server side. Also replaced the not yet documented validate_extensions_fun to be handled by the verify_fun instead. If the verify callback fun returns {fail, Reason}, the verification process is immediately stopped and an alert is sent to the peer and the TLS/SSL handshake is terminated. If the verify callback fun returns {valid, UserState}, the verification process is continued. If the verify callback fun always returns {valid, UserState}, the TLS/SSL handshake will not be terminated with respect to verification failures and the connection will be established. The verify callback fun will also be able to verify application specific extensions.
2010-09-03DER format in APIIngela Anderton Andin
Added support for inputing certificates and keys directly in DER format these options will override the pem-file options if specified.
2010-08-23Revise the public_key APIIngela Anderton Andin
Cleaned up and documented the public_key API to make it useful for general use.
2010-06-23Added more specs and changed from using own min/2 funtion to erlang:min/2.Ingela Anderton Andin
2010-06-14OTP-8695 New ssl defaultIngela Anderton Andin
Ssl has now switched default implementation and removed deprecated certificate handling. All certificate handling is done by the public_key application.
2010-06-11OTP-8695 New ssl defaultIngela Anderton Andin
Ssl has now switched default implementation and removed deprecated certificate handling. All certificate handling is done by the public_key application.
2010-05-21Decision not to support export cipher suites.Ingela Anderton Andin
2010-05-11OTP-8568 RFC -5746Ingela Anderton Andin
New ssl now supports secure renegotiation as described by RFC 5746.
2010-04-29OTP-8588 Alert and packet handling improvmentIngela Anderton Andin
Alert handling has been improved to better handle unexpected but valid messages and the implementation is also changed to avoid timing related issues that could cause different error messages depending on network latency. Packet handling was sort of broken but would mostly work as expected when socket was in binary mode. This has now been fixed.
2010-04-17Reset inet optionsDan Gudmundsson
Temporary set the inet options on listen socket before doing accept so that the correct options will be inherited by the accept socket. Reset the options afterwards so that repeated use of listen socket get user set values.
2010-04-16Avoid race condition of early handshake messages, when socket is active mode ↵Dan Gudmundsson
is not false.
2010-04-14Enhanced error handlingIngela Anderton Andin
2010-04-13OTP-8554 Certificate extensionsIngela Anderton Andin
2010-04-07Fix ssl:transport_accept/2 to return properly when socket is closedRory Byrne
A badmatch exception is thrown from ssl:transport_accept/2 when ssl:close/1 is called on the socket. This fixes it to return {error,closed} as expected.
2010-04-05Fix mishandling of valid ssl optionsRory Byrne
Using certain valid options in the new ssl implementation results in badarg exceptions. This happens for one documented option 'fail_if_no_peer_cert' and two undocumented options 'verify_client_once' and 'cb_info'.
2010-03-25OTP-7046 Support for Diffie-Hellman keyexchangeIngela Anderton Andin
2010-03-25OTP-8517 RenegotiationIngela Anderton Andin
New ssl now properly handles ssl renegotiation, and initiates a renegotiation if ssl/ltls-sequence numbers comes close to the max value.
2010-02-12Merge branch 'yh/packet_option_for_new_ssl_send' into ccase/r13b04_devErlang/OTP
* yh/packet_option_for_new_ssl_send: Fixed ssl:setopts(Socket, binary) which was didn't work for 'new' ssl. Fixed bug file cache bug and improved the error messages. Allow <c>ssl:listen/2</c> to be called with option {ssl_imp, old}. prepend packet size bytes in ssl:send() in new_ssl implementation OTP-8441 ssl:send/2 ignored packet option, fix provided by YAMASHINA Hio. Fixed a file cache bug which caused problems when the same file was used for both cert and cacert. Allow ssl:listen/2 to be called with option {ssl_imp, old}. Fixed ssl:setopts(Socket, binary) which didn't work for 'new' ssl..
2010-02-12Fixed ssl:setopts(Socket, binary) which was didn't work for 'new' ssl.Dan Gudmundsson
2010-02-12Allow <c>ssl:listen/2</c> to be called with option {ssl_imp, old}.Dan Gudmundsson
2009-11-20The R13B03 release.OTP_R13B03Erlang/OTP