Age | Commit message (Collapse) | Author |
|
|
|
There are a lot of cases where `ssl` application just returns unhelpful
`handshake failure` or `internal error`. This patch tries to provide
better diagnostics so operator can debug his SSL misconfiguration
without doing hardcore erlang debugging.
Here is an example escript that incorrectly uses server certificate as a
client one:
https://gist.github.com/binarin/35c34c2df7556bf04c8a878682ef3d67
With the patch it is properly reported as an error in "extended key
usage".
|
|
|
|
This commit adds support for RFC7301, application-layer protocol
negotiation. ALPN is the standard based approach to the NPN
extension, and is required for HTTP/2.
ALPN lives side by side with NPN and provides an equivalent
feature but in this case it is the server that decides what
protocol to use, not the client.
When both ALPN and NPN are sent by a client, and the server is
configured with both ALPN and NPN options, ALPN will always
take precedence. This behavior can also be found in the OpenSSL
implementation of ALPN.
ALPN and NPN share the ssl:negotiated_protocol/1 function for
retrieving the negotiated protocol. The previously existing
function ssl:negotiated_next_protocol/1 still exists, but has
been deprecated and removed from the documentation.
The tests against OpenSSL require OpenSSL version 1.0.2+.
|
|
|
|
|
|
* ia/ssl/continue-dtls-and-specs:
ssl: Avoid dialyzer warnings in dtls code
ssl: Improve type specs
ssl: Refactor and start implementing dtls_connection.erl
|
|
Conflicts:
lib/ssl/src/dtls_record.erl
|
|
unexpected alerts.
Add recognitions of RFC 4366 alerts and handle possible
unimplementd alerts in a gracefully way.
|
|
|
|
|
|
follow up enhancments done in commit
e56167dd6ca8d37d26ea7f19933691a3bda41113
Make sure format_error return good strings. Replace confusing legacy atoms
with more descriptive atoms.
|
|
Remove filter mechanisms that made error messages backwards compatible
with old ssl but hid information about what actually happened.
This does not break the documented API however other reason
terms may be returned, so code that matches on the reason part of
{error, Reason} may fail.
|
|
|
|
|
|
New ssl now supports secure renegotiation as described by RFC 5746.
|
|
|