aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src/ssl_connection.erl
AgeCommit message (Collapse)Author
2014-12-01ssl: Change code to reflect that state data may be secretIngela Anderton Andin
2014-09-09ssl, public_key: Add new option partial_chainIngela Anderton Andin
Check that the certificate chain ends with a trusted ROOT CA e.i. a self-signed certificate, but provide an option partial_chain to enable the application to define an intermediat CA as trusted. TLS RFC says: "unknown_ca A valid certificate chain or partial chain was received, but the certificate was not accepted because the CA certificate could not be located or couldn't be matched with a known, trusted CA. This message is always fatal." and also states: "certificate_list This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case." X509 RFC says: "The selection of a trust anchor is a matter of policy: it could be the top CA in a hierarchical PKI, the CA that issued the verifier's own certificate(s), or any other CA in a network PKI. The path validation procedure is the same regardless of the choice of trust anchor. In addition, different applications may rely on different trust anchors, or may accept paths that begin with any of a set of trust anchors."
2014-06-12ssl: Fix dialyzer specs to reflect realityIngela Anderton Andin
2014-06-11ssl: Make sure change cipher spec is correctly handledIngela Anderton Andin
2014-05-27ssl: Add format_status function to ssl connection processIngela Anderton Andin
2014-05-26ssl: Add ssl options to listen options trackerIngela Anderton Andin
2014-05-26ssl: Move initIngela Anderton Andin
2014-05-13ssl: Only allow one next protocol handsake messageIngela Anderton Andin
2014-04-23ssl: Refactor so that there is only one source for the default hashsign valuesIngela Anderton Andin
Also fix DTLS call to supply its corresponding TLS version
2014-04-23ssl: always pass negotiated version when selecting hashsignDanil Zagoskin
Negotiated version is now always passed to ssl_handshake:select_hashsign because ssl_handshake:select_cert_hashsign has different rsa defaults on tlsv1.2 and older versions.
2014-04-17ssl: recv shall ruturn {error, einval} on active socketIngela Anderton Andin
2014-03-31ssl: Add possibility to specify ssl options when calling ssl:ssl_acceptIngela Anderton Andin
2014-03-25ssl: Improve type specsIngela Anderton Andin
Conflicts: lib/ssl/src/dtls_record.erl
2014-02-20ssl: Correct clean up of certificate database when certs are inputedIngela Anderton Andin
in pure DER format. The incorrect code could cause a memory leek when certs where inputed in DER.
2014-01-14ssl: fix elliptic curve selection in server modeAndreas Schultz
The server code erroneously took the list of curves supported by the client from it's own hello extension, effectively breaking curve selection all together. Also the default fallback secp256k1 curve is not supported by all clients. secp256r1 is recommended as part of the NIST Suite B cryptographic suites. The chances are much better that all clients support it, so use that as fallback.
2013-12-02ssl: Trap exitsIngela Anderton Andin
2013-12-02ssl: Refactor connetion handlingIngela Anderton Andin
2013-12-02ssl, public_key: Dialyzer fixesIngela Anderton Andin
2013-12-02ssl: Refactor premaster secret handlingIngela Anderton Andin
2013-12-02ssl: Refactor connection and handshake handlingIngela Anderton Andin
2013-06-04ssl: Structural perarparation to support DTLSIngela Anderton Andin
Also phase in tls module as main API instead of ssl. To make API clearer. As TLS is the new protocol name. Maybe keep some API functions in ssl
2013-06-04ssl: Rename ssl_certificate_db to ssl_pkix_db for clarityIngela Anderton Andin
Conflicts: lib/ssl/src/ssl.app.src lib/ssl/src/ssl_manager.erl
2013-05-24ssl: Remove unused `srp_parameters` type specKlaus Trainer
As the file 'lib/ssl/src/ssl_srp_primes.hrl' only contains a specification of a `srp_parameters` type that isn't exported and also isn't referenced anywhere (neither in the code nor in the documentation), the type specification (and hence the file as well) can be removed.
2013-05-20ssl: Remove use of deprecated crypto functionsIngela Anderton Andin
2013-05-08ssl & crypto: Generalize the remaining crypto APIIngela Anderton Andin
2013-05-08ssl: Fix Curve selectionIngela Anderton Andin
2013-05-08ssl, public_key, crypto: General generate_key and compute_key functionsIngela Anderton Andin
2013-05-08ssl: Improve extention handlingIngela Anderton Andin
2013-05-08ssl & public_key: API refinementIngela Anderton Andin
Change API so public_key:generate_key/compute_key are only called with "public_key arguments" otherwhise crypto functions can be called explicitly.
2013-05-08ssl: Remove dependency on internal public_key functionIngela Anderton Andin
Avoid unneccessary conversion as the input format is an oid (according to ASN1 spec) we do not need to handle it as an atom in ssl.
2013-05-08ssl & public_key: Improved handling ECDH keysIngela Anderton Andin
2013-05-08ssl & public_key: New public_key API for DH/ECDH/SRP keysIngela Anderton Andin
2013-05-08SSL: add Elliptic Curve support for ssl appAndreas Schultz
2013-04-12fix srp_anon ciphers suites requiring certificates to work.Andreas Schultz
This problem was not caught by the test suites since all PSK and SRP suites where always tested with certificates. Split those tests into test with and without certificates.
2013-04-03ssl: Use new SRP crypto APIIngela Anderton Andin
2013-03-28SSL: add TLS-SRP (RFC 5054) cipher suitesAndreas Schultz
2013-03-28SSL: add TLS PSK (RFC 4279 and RFC 5487) cipher suitesAndreas Schultz
2013-03-25Added comment about proxy certificatesFredrik Gustafsson
2013-03-21Fix ssl_connection to support reading proxy/chain certificatesValentin Kuznetsov
2013-03-06ssl: Handle next protocol negotiation when reusing a session.Ingela Anderton Andin
2013-03-05ssl: Clean code thanks to dialyzerIngela Anderton Andin
2013-03-05ssl: Check that negotiated version is a supported version.Ingela Anderton Andin
2013-02-20ssl: Fatal close alert makes more sense than handshake failiure at econnabortedIngela Anderton Andin
2013-02-18ssl: Further error handling enhancmentsIngela Anderton Andin
follow up enhancments done in commit e56167dd6ca8d37d26ea7f19933691a3bda41113 Make sure format_error return good strings. Replace confusing legacy atoms with more descriptive atoms.
2013-02-12ssl: Generalize cb_info optionIngela Anderton Andin
2013-01-23ssl: Remove unnecessary construction of a return valueKostis Sagonas
2013-01-22Merge branch 'ia/ssl/incompatible-error-msg/OTP-10451'Ingela Anderton Andin
* ia/ssl/incompatible-error-msg/OTP-10451: ssl: Enhance error handling
2013-01-21ssl: Enhance error handlingIngela Anderton Andin
Remove filter mechanisms that made error messages backwards compatible with old ssl but hid information about what actually happened. This does not break the documented API however other reason terms may be returned, so code that matches on the reason part of {error, Reason} may fail.
2013-01-17SSL: simplify server key encoding, decoding and signature handlingAndreas Schultz
server key encoding depends to the negotiated key exchange. Before the encoding was limited to diffie-hellman keys. This changes allows to select the key structure to decode and verify. It also consolidates the transport encoding of the parameters into one place.
2013-01-17SSL: unify the different implementations signature check implementationsAndreas Schultz
ssl_handshake and ssl_connection where doing essentially the same when checking a public key signature. This unify both into a single function