aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src/ssl_connection.erl
AgeCommit message (Collapse)Author
2011-12-01Callback specs now handled by -callback directive in the behaviour module.Ingela Anderton Andin
2011-11-28If a passive receive was ongoing during a renegotiation the processIngela Anderton Andin
evaluating ssl:recv could be left hanging for ever.
2011-11-28Send ssl_closed notification to active ssl user when a tcp error occursIngela Anderton Andin
2011-11-23Implementation of 1/n-1 splitting countermeasure Rizzo/Duong-BeastIngela Anderton Andin
The code is refactored and improved to make it easier to insert the 1/n-1 splitting countermeasure Rizzo/Duong-Beast that is really done in one function clause in ssl:record_split_bin/3
2011-11-21Mitigate Computational DoS attackIngela Anderton Andin
2011-11-15Improved session cleanup handlingIngela Anderton Andin
Added session status "new" to mark sessions that are in the session database to reserve the session id but not resumable yet and that we want to separate from sessions that has been invalidated for further reuse.
2011-11-15Fix badarith in ssl_session:validate_session/2Ingela Anderton Andin
The time_stamp filed is now initated in the connection process init function, so that invalidations of sessions due to handshake failiures, will not cause sessions in the session table to have an uninitiated time_stamp field.
2011-11-01Added PKCS-8 support in sslIngela Anderton Andin
2011-10-06Merge branch 'ia/ssl/remove-old-ssl/OTP-7048'Ingela Anderton Andin
* ia/ssl/remove-old-ssl/OTP-7048: Remove old ssl implementation and deprecated function ssl:peercert/1 Conflicts: lib/ssl/test/Makefile
2011-09-16Remove old ssl implementation and deprecated function ssl:peercert/1Ingela Anderton Andin
2011-09-16Merge remote branch 'upstream/dev' into majorIngela Anderton Andin
* upstream/dev: Support explicit use of packet option httph and httph_bin
2011-09-16Support explicit use of packet option httph and httph_binIngela Anderton Andin
2011-09-13Merge branch 'ia/ssl/dist/OTP-7053' into majorIngela Anderton Andin
* ia/ssl/dist/OTP-7053: First fully working version Use ssl instead of being a proxy command Connect from both sides works now
2011-09-09First fully working versionIngela Anderton Andin
2011-09-05Corrected spec name errors: ip_adress -> ip_address port_num -> port_numberIngela Anderton Andin
2011-08-31Use inet and gen_* dialyzer specsIngela Anderton Andin
2011-08-08replace "a ssl" with "an ssl"Christian von Roques
2011-06-29Removed global name from the certificate tabelIngela Anderton Andin
We want the certificate table to be handled the same way as the session table and not have a global name, so that we may easier create a separate ssl-manager to handle erlang distribution over ssl.
2011-06-27Handle inet:getopts/2 and inet:setopts/2 crashesIngela Anderton Andin
2011-05-17In TLS 1.1, failure to properly close a connection no longer requiresIngela Anderton Andin
that a session not be resumed. This is a change from TLS 1.0 to conform with widespread implementation practice. Erlang ssl will now in TLS 1.0 conform to the widespread implementation practice instead of the specification to avoid performance issues.
2011-04-29Changed iolist() to iodata()Ingela Anderton Andin
ssl:send/2 takes iodata() as a second argument. erlang:iolist_to_binary should really be called erlang:iodata_to_binary which caused the mismatch in the first place.
2011-03-07Add the option { hibernate_after, int() } to ssl:connect and ssl:listenJeroen Koops
When making an SSL connection (either as client or as server), the process implementing the connection may use as much as hundreds of kilobytes of memory, even when idle. This is problematic for any application maintaining more than just a few SSL connections. This patch introduces the option { hibernate_after, int() } to the ssl:connect and ssl:listen functions, making the SSL connection process go into hibernation after the specified number of milliseconds of inactivity. This will reduce the memory used by the process to just a few hundred bytes, making applications with thousands or more SSL connections feasible, as long as most of the connections are idle for most of the time (which is typically the case). The approach of making the process go into hibernation only after some time of inactivity was chosen because hibernation incurs some CPU usage, and it is therefore not desirable for a process to hibernate after each call.
2011-02-22Modernized some dialyzer specsIngela Anderton Andin
2011-01-13Reduce memory footprintIngela Anderton Andin
Handshake hashes, premaster secret and "public_key_info" does not need to be saved when the connection has been established. The own certificate is no longer duplicated in the state.
2011-01-10Fixed Dialyzer specsIngela Anderton Andin
------------------------------------------------------------------------- ssl's published documentation states: ssl_accept(ListenSocket) -> ssl_accept(ListenSocket, Timeout) -> ok | {error, Reason} (see http://www.erlang.org/doc/man/ssl.html#ssl_accept-1) while its code has the specs: -spec ssl_accept(#sslsocket{}) -> {ok, #sslsocket{}} | {error, reason()}. -spec ssl_accept(#sslsocket{}, list() | timeout()) -> {ok, #sslsocket{}} | {error, reason()}. One of the two cannot be right. This should be fixed. Moreover, I do not see why the spec just mentions list() for the options when the documentation explicitly mentions the options of ssl. Kostis ---------------------------------------------------------------------
2010-12-16Cache invalidation and consistent user closingIngela Anderton Andin
Added cache invalidation control of ssl certificates so that sessions will not be reused if file content is changed. There was a glitch in ssl:close that made it possible to to get eaddrinuse even though reuseadder-option was used. Also improved tests for better user-close handling.
2010-12-16Cache invaldation first version does not break old test casesIngela Anderton Andin
2010-11-30Fixed guard and test caseIngela Anderton Andin
Data to sign and verify should be inputed as binaries. Also cleaned up and moved some dialyzer specs.
2010-11-18Added alert in stream cipher case.Ingela Anderton Andin
Also changed alert to BAD_RECORD_MAC as: "differentiating between bad_record_mac and decryption_failed alerts may permit certain attacks against CBC mode as used in TLS [CBCATT]. It is preferable to uniformly use the bad_record_mac alert to hide the specific type of the error." Also cleaned up the code and changed a few other alert reasons in according to alert descriptions in the TLS RFC 4346. And added function terminate_alert/3 so that we can differentiate between a crash in ssl (a bug in our code) and a crash in the application using ssl.
2010-10-21Merge branch 'ia/ssl/certificate-verify/wrong-key-method/OTP-8897' into devBjörn Gustavsson
* ia/ssl/certificate-verify/wrong-key-method/OTP-8897: Correct handling of client certificate verify message Conflicts: lib/ssl/src/ssl_handshake.erl
2010-10-20Correct handling of client certificate verify messageIngela Anderton Andin
When checking the client certificate verify message the server used the wrong algorithm identifier to determine the signing algorithm, causing a function clause error in the public_key application when the key-exchange algorithm and the public key algorithm of the client certificate happen to differ.
2010-10-07Anonymous cipher suitesIngela Anderton Andin
For testing purposes ssl now also support some anonymous cipher suites when explicitly configured to do so. Also moved session cache tests to its own suite, so that timeout of end_per_testcase when the mnesia is used as session cache will not affect other test cases.
2010-09-15Corrected and added dialyzer specsIngela Anderton Andin
2010-09-07Add missed DER dh option.Ingela Anderton Andin
2010-09-06Handling of path validation errors by the applicationIngela Anderton Andin
Changed the behavior of the verify_fun option so that the application can be responsible for handling path validation errors even on the server side. Also replaced the not yet documented validate_extensions_fun to be handled by the verify_fun instead. If the verify callback fun returns {fail, Reason}, the verification process is immediately stopped and an alert is sent to the peer and the TLS/SSL handshake is terminated. If the verify callback fun returns {valid, UserState}, the verification process is continued. If the verify callback fun always returns {valid, UserState}, the TLS/SSL handshake will not be terminated with respect to verification failures and the connection will be established. The verify callback fun will also be able to verify application specific extensions.
2010-09-03DER format in APIIngela Anderton Andin
Added support for inputing certificates and keys directly in DER format these options will override the pem-file options if specified.
2010-08-31Merge branch 'dgud/ssl/handskake_client_key/OTP-8793' into devDan Gudmundsson
* dgud/ssl/handskake_client_key/OTP-8793: Fix handshake problem with multiple messages in one packet
2010-08-27Fix receiving empty packets.Dan Gudmundsson
Empty packets where not delivered from ssl, it incorrectly assumed there was no data.
2010-08-26Fix handshake problem with multiple messages in one packetDan Gudmundsson
If hello and client_key_exchange message is sent together in the same packet, ssl can't handle it and closes the connection. Also fixed compiler warning.
2010-08-24Handling of {mode, list}Ingela Anderton Andin
Fixed handling of the option {mode, list} that was broken for some packet types for instance line.
2010-08-24Correct behaviour if {packet, line} and mode list are givenThomas Lachmann
This corrects the returned data to be in list format, not binary if both {packet, line} and list are set as option.
2010-08-23Revise the public_key APIIngela Anderton Andin
Cleaned up and documented the public_key API to make it useful for general use.
2010-06-23Added more specs and changed from using own min/2 funtion to erlang:min/2.Ingela Anderton Andin
2010-06-22Refreshed documentation to reflect the change of default implementation.Ingela Anderton Andin
Started to improve code documentation by using -spec directive, and some small refactorings to avoid ugly code.
2010-06-11OTP-8695 New ssl defaultIngela Anderton Andin
Ssl has now switched default implementation and removed deprecated certificate handling. All certificate handling is done by the public_key application.
2010-06-07OTP-8587 DSA key supportIngela Anderton Andin
New ssl now support client/server-certificates signed by dsa keys.
2010-06-04Fixed handling of several ssl/tls packets arriving at the same time.Ingela Anderton Andin
This was broken during a refactoring of the code.
2010-05-28Cleaned codeIngela Anderton Andin
2010-05-28Added code to handle own alert in case MAC or padding check fails.Ingela Anderton Andin
2010-05-27Moved nodelay workaround for linux, as it seems to only work if you doIngela Anderton Andin
it before sending the fatal alert, even though documentation suggests the socket will be flushed on linux as an effect of setting the nodelay option.