aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src/ssl.erl
AgeCommit message (Collapse)Author
2014-09-10Merge branch 'maint'Ingela Anderton Andin
2014-09-09ssl, public_key: Add new option partial_chainIngela Anderton Andin
Check that the certificate chain ends with a trusted ROOT CA e.i. a self-signed certificate, but provide an option partial_chain to enable the application to define an intermediat CA as trusted. TLS RFC says: "unknown_ca A valid certificate chain or partial chain was received, but the certificate was not accepted because the CA certificate could not be located or couldn't be matched with a known, trusted CA. This message is always fatal." and also states: "certificate_list This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case." X509 RFC says: "The selection of a trust anchor is a matter of policy: it could be the top CA in a hierarchical PKI, the CA that issued the verifier's own certificate(s), or any other CA in a network PKI. The path validation procedure is the same regardless of the choice of trust anchor. In addition, different applications may rely on different trust anchors, or may accept paths that begin with any of a set of trust anchors."
2014-09-03ssl: implement AES128-GCM suitesAndreas Schultz
2014-06-12ssl: Fix dialyzer specs to reflect realityIngela Anderton Andin
2014-06-05ssl: Version argument to ssl_cipher:anonymous_suites should not be added yet!Ingela Anderton Andin
2014-06-03SSL: always filter the full list of supported ciphers against the supported ↵Andreas Schultz
algorithms With the addition of more ciphers that are not supported in all configurations, using a manually prefiltered cipher list (e.g. EC vs. non-EC ciphers) becomes to complex. Replace the manual split with ssl_cipher:filter_suites/1 in all places. Conflicts: lib/ssl/src/ssl.erl lib/ssl/src/tls_v1.erl
2014-05-28ssl: Filter default ciphers for supported Crypto algorihmsIngela Anderton Andin
2014-05-26ssl: Add ssl options to listen options trackerIngela Anderton Andin
2014-05-12Merge branch 'ia/ssl/inherit/OTP-11897' into maintIngela Anderton Andin
* ia/ssl/inherit/OTP-11897: ssl: Handle socket option inheritance when pooling of accept sockets is used
2014-05-09ssl: Handle socket option inheritance when pooling of accept sockets is usedIngela Anderton Andin
Implement a listen socket tracker process that holds the emulated socket options so that it is possible to implement a destructive ssl:setopts on SSL/TLS listen sockets without changing the options of the internal socket as we want that socket to have the internal socket option values.
2014-05-07ssl: SSL/TLS version input list shall not be order dependentIngela Anderton Andin
2014-04-16ssl: Select supported cipher suites for the negotiated SSL/TLS-versionIngela Anderton Andin
When selecting the available cipher suites for the server all cipher suites for the highest supported SSL/TLS-version would be selected, and not all supported for the negotiated SSL/TLS-version. This could lead to that faulty clients could negotiate cipher suites that they can not support. This change will enable the faulty client to negotiate another cipher suite that it can support.
2014-03-31ssl: Add possibility to specify ssl options when calling ssl:ssl_acceptIngela Anderton Andin
2014-03-25ssl: Improve type specsIngela Anderton Andin
Conflicts: lib/ssl/src/dtls_record.erl
2014-03-25ssl: Refactor and start implementing dtls_connection.erlIngela Anderton Andin
2014-03-04ssl: Add exception for inet and inet6 to proplist checkIngela Anderton Andin
2014-03-04ssl: Add input sanity checkIngela Anderton Andin
Avoid puzzling behavior due to options being disregarded if they are not key value tuples.
2014-02-14ssl: Fix possible mismatch between SSL/TLS version and default ciphersIngela Anderton Andin
2014-02-06ssl: Unicode adaptionsIngela Anderton Andin
2014-01-28ssl: use is_boolean/1 guard in option validationAndreas Schultz
2014-01-21Implement 'honor_cipher_order' SSL server-side optionAndrew Thompson
HonorCipherOrder as implemented in Apache, nginx, lighttpd, etc. This instructs the server to prefer its own cipher ordering rather than the client's and can help protect against things like BEAST while maintaining compatability with clients which only support older ciphers. This code is mostly written by Andrew Thompson, only the test case was added by Andreas Schultz.
2014-01-14ssl: Add missing options validation of server_name_indicationIngela Anderton Andin
2013-12-02ssl: Refactor connetion handlingIngela Anderton Andin
2013-12-02ssl: API and supervisorIngela Anderton Andin
2013-12-02ssl: Refactor APIIngela Anderton Andin
New design : ssl - Main tls - Reflect tls specific semantics dtls - Reflect dtls specific semantics
2013-08-23Merge branch 'maint-r15' into maint-r16Fredrik Gustafsson
Conflicts: lib/inets/doc/src/notes.xml lib/inets/src/http_lib/http_transport.erl lib/inets/src/inets_app/inets.appup.src lib/inets/vsn.mk lib/ssl/doc/src/notes.xml lib/ssl/src/ssl.appup.src lib/ssl/src/ssl.erl lib/ssl/src/ssl_internal.hrl lib/ssl/src/tls_connection.erl lib/ssl/vsn.mk
2013-08-21[inets, ssl]: make log_alert configurable as option in ssl, SSLLogLevel ↵Fredrik Gustafsson
added as option to inets conf file
2013-06-07ssl: Fix dialyzer warningsIngela Anderton Andin
2013-06-04ssl: Structural perarparation to support DTLSIngela Anderton Andin
Also phase in tls module as main API instead of ssl. To make API clearer. As TLS is the new protocol name. Maybe keep some API functions in ssl
2013-05-24ssl: Remove unused `srp_parameters` type specKlaus Trainer
As the file 'lib/ssl/src/ssl_srp_primes.hrl' only contains a specification of a `srp_parameters` type that isn't exported and also isn't referenced anywhere (neither in the code nor in the documentation), the type specification (and hence the file as well) can be removed.
2013-05-08SSL: add Elliptic Curve support for ssl appAndreas Schultz
2013-05-08SSL: filter TLS cipher suites for supported algorithmsAndreas Schultz
2013-04-03ssl: Add option to list all available ciper suites and enhanced documentationIngela Anderton Andin
2013-03-28SSL: add TLS-SRP (RFC 5054) cipher suitesAndreas Schultz
2013-03-28SSL: add TLS PSK (RFC 4279 and RFC 5487) cipher suitesAndreas Schultz
2013-03-05ssl: Check that negotiated version is a supported version.Ingela Anderton Andin
2013-02-18ssl: Further error handling enhancmentsIngela Anderton Andin
follow up enhancments done in commit e56167dd6ca8d37d26ea7f19933691a3bda41113 Make sure format_error return good strings. Replace confusing legacy atoms with more descriptive atoms.
2013-02-12ssl: Generalize cb_info optionIngela Anderton Andin
2012-12-19ssl & orber: Remove ssl:pid/1 (has been pointless since R14)Ingela Anderton Andin
2012-12-06Merge branch 'maint'Ingela Anderton Andin
Conflicts: erts/emulator/sys/vxworks/sys.c erts/vsn.mk lib/ssl/src/ssl_connection.erl lib/ssl/test/ssl_basic_SUITE.erl
2012-12-06ssl: Export sslsocket() dialyzer typeIngela Anderton Andin
2012-11-14Merge remote branch 'upstream/maint'Ingela Anderton Andin
Conflicts: lib/ssl/src/ssl_connection.erl
2012-11-13ssl: Add default values to emulated socket options in internal recordIngela Anderton Andin
The absence of the active default values could cause a process leak
2012-10-01ssl: Improve #sslsocket{} APIIngela Anderton Andin
A #sslsocket{} contains the fsm pid and value that was previously set to old_ssl or new_ssl to make the transition period smoother. Now that old ssl is not supported any more we use this field to store the inet socket reference instead. This enables some API functions to return quicker as they do not need to communicate with the fsm-process.
2012-10-01ssl: It is now possible to call controlling_process on a listen socket,Ingela Anderton Andin
same as in gen_tcp. Made error handling of listen sockets as arguments to funtions expecting a connected socket more inet/gen_tcp like.
2012-09-21ssl: SSL 3.0 does not support next protocol negotiationIngela Anderton Andin
Also shorten test cases names to workaround test framework problems on windows
2012-09-20ssl: Changed default behaviour of next protocol negotiation to makeIngela Anderton Andin
more "sense" (be true to the specification).
2012-09-20ssl: Support for SSL Next Protocol NegotiationBen Murphy
* http://technotes.googlecode.com/git/nextprotoneg.html
2012-08-22ssl: Use crypto:strong_rand_bytes if possibleIngela Anderton Andin
2012-08-22ssl: TLS-1.1 and TLS-1.2 support should not be default until R16Ingela Anderton Andin