aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src/ssl_connection.erl
AgeCommit message (Collapse)Author
2018-07-27Change "can not" into "cannot"Raimo Niskanen
I did not find any legitimate use of "can not", however skipped changing e.g RFCs archived in the source tree.
2018-07-19ssl: Implement downgrade protection mechanism (TLS 1.3)Péter Dimitrov
If negotiating TLS 1.2, TLS 1.3 servers MUST set the last eight bytes of their Random value to the bytes: 44 4F 57 4E 47 52 44 01 If negotiating TLS 1.1 or below, TLS 1.3 servers MUST and TLS 1.2 servers SHOULD set the last eight bytes of their Random value to the bytes: 44 4F 57 4E 47 52 44 00 Change-Id: If35112f63f42a9af351f4ca9b1846fd3f5b08167
2018-07-11Merge branch 'maint'Ingela Anderton Andin
2018-07-11Merge pull request #1869 from ↵Ingela Andin
IngelaAndin/ingela/ssl/unexpected-call/ERL-664/OTP-15174 ssl: Improve error handling
2018-07-09ssl: Improve error handlingIngela Anderton Andin
When doing ssl:controlling_process on a ssl socket that has not performed the TLS/DTLS handshake that call will succeed even though the documentation stated otherwise. However if some other ssl option was incorrect the call would hang. Now {error, closed} will be returned in the latter case, which is logical independent on if it should succeed or not in the former case. The former case will continue to succeed, as it is not dependent of the TLS/DTLS connection being established, and the documentation is altered slightly to not explicitly disallow it. If the TLS/DTLS connection later fails and the socket mode is active, the new controlling process will be notified as expected.
2018-07-06Merge branch 'maint'Ingela Anderton Andin
2018-07-05ssl: Correct connection_information on ECC-curvesIngela Anderton Andin
2018-07-05Merge branch 'maint'Ingela Anderton Andin
2018-07-04ssl: Do not use legacy formatIngela Anderton Andin
2018-07-04ssl: Add connection information on new cipher_suite formatIngela Anderton Andin
2018-07-02ssl: Add support for stateful loggingPéter Dimitrov
- Introduce stateful logging levels to the ssl application: The SSL option 'log_alert' sets log level to notice/warning if it is set to true/false. Default log level is notice. - Add new SSL option 'log_level' that overrides the value of 'log_alert'. Default value is notice. - 'log_level' debug triggers verbose logging of TLS protocol messages and logging of ignored alerts in DTLS. Change-Id: I28d3f4029a5d504ec612abe4b9ae0b7d9b115197
2018-06-20ssl: Update domain filter, use log macrosPéter Dimitrov
Change-Id: Id52990a105c81373c7c6034df9a2675f9d0e429a
2018-06-20ssl: Add logging for TLS record protocolPéter Dimitrov
Change-Id: I18786a9a8523d0ec3d9ca37ad5b2284721c5c4a1
2018-06-20ssl: Use logger API instead of legacy error_loggerPéter Dimitrov
Change-Id: I04cb8e4c09b05fc9d7ead0dfae0d83286decdb74
2018-06-18Update copyright yearHenrik Nord
2018-04-30ssl: Avoid hardcoding of cipher suites and fix ECDH suite handlingIngela Anderton Andin
ECDH suite handling did not use the EC parameters form the certs as expected.
2018-04-26ssl: Proper handling of clients that choose to send an emptyIngela Anderton Andin
answer to a certificate request Solves ERL-599
2018-04-24ssl: Add new API functionsIngela Anderton Andin
2018-04-24ssl: Prepare to replace ssl:ssl_accept with ssl:handshakeIngela Anderton Andin
2018-03-09ssl: Remove interoperability option v2_hello_compatibleIngela Anderton Andin
2018-02-12Merge branch 'maint'Ingela Anderton Andin
2018-02-09ssl: Add the unexpected message to #alert{}Jean-Sébastien Pédron
... in handle_common_event(), instead of passing it to handle_own_alert() after wrapping it in a tuple with `StateName` (i.e. `{StateName, Msg}`). The `StateName` is passed to handle_normal_shutdown() and to alert_user(). The latter has a clause matching it against `connection`. Unfortunately, when the argument was in fact `{StateName, Msg}`, another clause was executed which dropped the `active` flag value and forced it to `false`, even if the state was actually `connection`. It meant that later in send_or_reply(), the alert was not propagated to the user, even though it should (`active` set to `true` or `once`). Now that handle_common_event() always passes the actual `StateName`, the problem is fixed. ERL-562
2017-12-05Merge branch 'maint'Ingela Anderton Andin
Conflicts: lib/ssl/src/ssl_cipher.erl lib/ssl/src/ssl_handshake.erl
2017-12-05ssl: Use maps for cipher suites internallyIngela Anderton Andin
This is a preparation for improvements to come in option handling and support for TLS-1.3
2017-12-04Merge branch 'raimo/ssl-dist-bench/OTP-14657'Raimo Niskanen
* origin/raimo/ssl-dist-bench/OTP-14657: Write SSL distribution benchmarks Polish SSL distribution Handle whitebox test message Correct distribution doc Use SNI when connecting Use -ssl_dist_optfile options Read in -ssl_dist_optfile to ETS Facilitate test certs with common root Stop checking DNS name for SNI
2017-12-04Polish SSL distributionRaimo Niskanen
2017-12-04Handle whitebox test messageRaimo Niskanen
2017-12-01Merge branch 'maint'Ingela Anderton Andin
2017-12-01Merge branch 'ingela/ssl/timing' into maintIngela Anderton Andin
* ingela/ssl/timing: ssl: Align timing just in case
2017-11-29Merge branch 'maint'Ingela Anderton Andin
Conflicts: lib/ssl/src/ssl_connection.erl
2017-11-28ssl: Align timing just in caseIngela Anderton Andin
2017-11-24ssl: Use genstamtem properlyIngela Anderton Andin
2017-11-23Merge branch 'maint'Ingela Anderton Andin
Conflicts: OTP_VERSION
2017-11-23Merge branch 'maint-20' into maintIngela Anderton Andin
* maint-20: Updated OTP version Update release notes Update version numbers public_key: verify ip (both v4 and v6) public_key: Added IP4 address checks to hostname_verification tests ssl: Fix test cases to work on all test platforms public_key: Fix dialyzer spec ssl: Sessions must be registered with SNI if exists ssl: Extend hostname check to fallback to checking IP-address public_key, ssl: Handles keys so that APIs are preserved correctly ssl: Use ?FUNCTION_NAME ssl: Prepare for release ssl: Countermeasurements for Bleichenbacher attack Conflicts: lib/public_key/doc/src/public_key.xml lib/public_key/test/public_key_SUITE.erl lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf lib/ssl/src/dtls_connection.erl lib/ssl/src/ssl_connection.erl lib/ssl/src/ssl_handshake.erl
2017-11-22Merge branch ↵Erlang/OTP
'ingela/maint-20/ssl/extend-hostname-check/OTP-14632/OTP-14655/OTP-14766' into maint-20 * ingela/maint-20/ssl/extend-hostname-check/OTP-14632/OTP-14655/OTP-14766: ssl: Fix test cases to work on all test platforms public_key: Fix dialyzer spec ssl: Sessions must be registered with SNI if exists ssl: Extend hostname check to fallback to checking IP-address public_key, ssl: Handles keys so that APIs are preserved correctly ssl: Use ?FUNCTION_NAME
2017-11-16ssl: Resolve merge conflict resolution errorIngela Anderton Andin
2017-11-16Merge branch 'maint'Ingela Anderton Andin
Conflicts: lib/ssl/src/dtls_connection.erl lib/ssl/src/ssl_connection.erl lib/ssl/src/ssl_handshake.erl lib/ssl/src/tls_connection.erl
2017-11-16ssl: Align code of main modules implementing the gen_statem behaviourIngela Anderton Andin
2017-11-09ssl: Sessions must be registered with SNI if existsIngela Anderton Andin
2017-11-09ssl: Extend hostname check to fallback to checking IP-addressIngela Anderton Andin
If no SNI is available and the hostname is an IP-address also check for IP-address match. This check is not as good as a DNS hostname check and certificates using IP-address are not recommended.
2017-11-09 ssl: Use ?FUNCTION_NAMEIngela Anderton Andin
Use ?FUNCTION_NAME macro to enhance code as we will not back-port this version of the ssl application to versions pre OTP 19.
2017-11-09ssl: Countermeasurements for Bleichenbacher attackIngela Anderton Andin
2017-10-17Merge branch 'maint'Ingela Anderton Andin
2017-10-17Merge branch 'ingela/ssl/extend-hostname-check/OTP-14632/OTP-14655' into maintIngela Anderton Andin
* ingela/ssl/extend-hostname-check/OTP-14632/OTP-14655: ssl: Fix test cases to work on all test platforms public_key: Fix dialyzer spec ssl: Sessions must be registered with SNI if exists ssl: Extend hostname check to fallback to checking IP-address public_key, ssl: Handles keys so that APIs are preserved correctly
2017-10-16Merge branch 'maint'Ingela Anderton Andin
Conflicts: lib/ssl/src/ssl_connection.erl
2017-10-16 ssl: Use ?FUNCTION_NAMEIngela Anderton Andin
Use ?FUNCTION_NAME macro to enhance code as we will not back-port this version of the ssl application to versions pre OTP 19.
2017-10-13ssl: Sessions must be registered with SNI if existsIngela Anderton Andin
2017-10-13ssl: Extend hostname check to fallback to checking IP-addressIngela Anderton Andin
If no SNI is available and the hostname is an IP-address also check for IP-address match. This check is not as good as a DNS hostname check and certificates using IP-address are not recommended.
2017-10-02Merge branch 'maint'Ingela Anderton Andin
2017-09-30dtls: Compleate DTLS renegotiate implementationIngela Anderton Andin