Age | Commit message (Collapse) | Author |
|
I did not find any legitimate use of "can not", however skipped
changing e.g RFCs archived in the source tree.
|
|
If negotiating TLS 1.2, TLS 1.3 servers MUST set the last eight bytes
of their Random value to the bytes:
44 4F 57 4E 47 52 44 01
If negotiating TLS 1.1 or below, TLS 1.3 servers MUST and TLS 1.2
servers SHOULD set the last eight bytes of their Random value to the
bytes:
44 4F 57 4E 47 52 44 00
Change-Id: If35112f63f42a9af351f4ca9b1846fd3f5b08167
|
|
|
|
IngelaAndin/ingela/ssl/unexpected-call/ERL-664/OTP-15174
ssl: Improve error handling
|
|
When doing ssl:controlling_process on a ssl socket that has not
performed the TLS/DTLS handshake that call will succeed even though
the documentation stated otherwise. However if some other ssl option
was incorrect the call would hang. Now {error, closed} will be
returned in the latter case, which is logical independent on if it
should succeed or not in the former case. The former case will continue
to succeed, as it is not dependent of the TLS/DTLS connection being
established, and the documentation is altered slightly to not
explicitly disallow it. If the TLS/DTLS connection later fails and
the socket mode is active, the new controlling process will be
notified as expected.
|
|
|
|
|
|
|
|
|
|
|
|
- Introduce stateful logging levels to the ssl application:
The SSL option 'log_alert' sets log level to notice/warning
if it is set to true/false. Default log level is notice.
- Add new SSL option 'log_level' that overrides the value of
'log_alert'. Default value is notice.
- 'log_level' debug triggers verbose logging of TLS protocol
messages and logging of ignored alerts in DTLS.
Change-Id: I28d3f4029a5d504ec612abe4b9ae0b7d9b115197
|
|
Change-Id: Id52990a105c81373c7c6034df9a2675f9d0e429a
|
|
Change-Id: I18786a9a8523d0ec3d9ca37ad5b2284721c5c4a1
|
|
Change-Id: I04cb8e4c09b05fc9d7ead0dfae0d83286decdb74
|
|
|
|
ECDH suite handling did not use the EC parameters form the certs
as expected.
|
|
answer to a certificate request
Solves ERL-599
|
|
|
|
|
|
|
|
|
|
... in handle_common_event(), instead of passing it to
handle_own_alert() after wrapping it in a tuple with `StateName` (i.e.
`{StateName, Msg}`).
The `StateName` is passed to handle_normal_shutdown() and to
alert_user(). The latter has a clause matching it against `connection`.
Unfortunately, when the argument was in fact `{StateName, Msg}`, another
clause was executed which dropped the `active` flag value and forced it
to `false`, even if the state was actually `connection`. It meant that
later in send_or_reply(), the alert was not propagated to the user, even
though it should (`active` set to `true` or `once`).
Now that handle_common_event() always passes the actual `StateName`, the
problem is fixed.
ERL-562
|
|
Conflicts:
lib/ssl/src/ssl_cipher.erl
lib/ssl/src/ssl_handshake.erl
|
|
This is a preparation for improvements to come in option handling and
support for TLS-1.3
|
|
* origin/raimo/ssl-dist-bench/OTP-14657:
Write SSL distribution benchmarks
Polish SSL distribution
Handle whitebox test message
Correct distribution doc
Use SNI when connecting
Use -ssl_dist_optfile options
Read in -ssl_dist_optfile to ETS
Facilitate test certs with common root
Stop checking DNS name for SNI
|
|
|
|
|
|
|
|
* ingela/ssl/timing:
ssl: Align timing just in case
|
|
Conflicts:
lib/ssl/src/ssl_connection.erl
|
|
|
|
|
|
Conflicts:
OTP_VERSION
|
|
* maint-20:
Updated OTP version
Update release notes
Update version numbers
public_key: verify ip (both v4 and v6)
public_key: Added IP4 address checks to hostname_verification tests
ssl: Fix test cases to work on all test platforms
public_key: Fix dialyzer spec
ssl: Sessions must be registered with SNI if exists
ssl: Extend hostname check to fallback to checking IP-address
public_key, ssl: Handles keys so that APIs are preserved correctly
ssl: Use ?FUNCTION_NAME
ssl: Prepare for release
ssl: Countermeasurements for Bleichenbacher attack
Conflicts:
lib/public_key/doc/src/public_key.xml
lib/public_key/test/public_key_SUITE.erl
lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem
lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf
lib/ssl/src/dtls_connection.erl
lib/ssl/src/ssl_connection.erl
lib/ssl/src/ssl_handshake.erl
|
|
'ingela/maint-20/ssl/extend-hostname-check/OTP-14632/OTP-14655/OTP-14766' into maint-20
* ingela/maint-20/ssl/extend-hostname-check/OTP-14632/OTP-14655/OTP-14766:
ssl: Fix test cases to work on all test platforms
public_key: Fix dialyzer spec
ssl: Sessions must be registered with SNI if exists
ssl: Extend hostname check to fallback to checking IP-address
public_key, ssl: Handles keys so that APIs are preserved correctly
ssl: Use ?FUNCTION_NAME
|
|
|
|
Conflicts:
lib/ssl/src/dtls_connection.erl
lib/ssl/src/ssl_connection.erl
lib/ssl/src/ssl_handshake.erl
lib/ssl/src/tls_connection.erl
|
|
|
|
|
|
If no SNI is available and the hostname is an IP-address also check
for IP-address match. This check is not as good as a DNS hostname check
and certificates using IP-address are not recommended.
|
|
Use ?FUNCTION_NAME macro to enhance code as we will not back-port this
version of the ssl application to versions pre OTP 19.
|
|
|
|
|
|
* ingela/ssl/extend-hostname-check/OTP-14632/OTP-14655:
ssl: Fix test cases to work on all test platforms
public_key: Fix dialyzer spec
ssl: Sessions must be registered with SNI if exists
ssl: Extend hostname check to fallback to checking IP-address
public_key, ssl: Handles keys so that APIs are preserved correctly
|
|
Conflicts:
lib/ssl/src/ssl_connection.erl
|
|
Use ?FUNCTION_NAME macro to enhance code as we will not back-port this
version of the ssl application to versions pre OTP 19.
|
|
|
|
If no SNI is available and the hostname is an IP-address also check
for IP-address match. This check is not as good as a DNS hostname check
and certificates using IP-address are not recommended.
|
|
|
|
|