| Age | Commit message (Collapse) | Author |
|---|
|
|
|
* ingela/ssl/doc-enhancements:
ssl: Enhance documentation after "use-spec-rewrite"
|
|
|
|
Improve the abstraction between the ssl_connection module
and dtls_connection, tls_connection and tls_sender, as well
as towards the lower level tls_record and ssl_record modules.
Remove some dead code.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
flight_state is used to handle retransmission timers for DTLS over udp
|
|
|
|
|
|
|
|
|
|
|
|
Remove duplicate handsake history handling form
ssl_config function. Later we might refactor to avoid
duplication in TLS and DTLS code, but handshake history
does not belong in ssl_config function.
|
|
|
|
|
|
|
|
We want to decrease the size of the outer state tuple, and gain
ease of understanding by better grouping. This is the first step
of creating a hs_env (handshake environment) part of the state.
This change will be performed gradually to reduce merge conflicts
complexity and risk of introducing errors.
|
|
|
|
Both test case and code needed updates to work as intended. Code needed update due to
new tls_sender process and the test case gave false positive reusult erarlier probably
due to beeing to sloopy in order to avoid timeouts.
|
|
State values created at init
|
|
|
|
Separate sending and receiving when using TCP as transport
as prim_inet:send may block which in turn may result
in a deadlock between two Erlang processes communicating over
TLS, this is especially likely to happen when running Erlang distribution
over TLS.
|
|
|
|
|
|
answer to a certificate request
Solves ERL-599
|
|
|
|
|
|
|
|
|
|
|
|
Beta DTLS, not production ready. Only very basically tested, and
not everything in the SPEC is implemented and some things
are hard coded that should not be, so this implementation can not be consider
secure.
Refactor "TLS connection state" and socket handling, to facilitate
DTLS implementation.
Create dtls "listner" (multiplexor) process that spawns
DTLS connection process handlers.
Handle DTLS fragmentation.
Framework for handling retransmissions.
Replay Detection is not implemented yet.
Alerts currently always handled as in TLS.
|
|
* ingela/ssl/ECC-selection-fix/OTP-13918:
ssl: Correct ECC curve selection, the error could cause default to always be selected.
|
|
selected.
|
|
Several handshake events may be received in the same TLS packet. Then there
will be several events pushed to the gen_statems internal queue.
New events already in the socket-buffer should not be processed
if there are more unprocessed handshake events in next_event queue.
We need to handle this in the next_record/1 function.
|
|
|
|
The flight concept was introduced by DTLS (RFC 4347) to optimize
the packing of DTLS records into UDP packets. This change
implments the flight concept in the the generic SSL connection
logic and add the queue logic to the TLS and DTLS stack.
The DTLS required resend handling is not implemented yet.
While the flight handling is only required for DTSL, it turns
out that the same mechanism can be usefull to TCP based TLS as
well.
With the current scheme each TLS record will be mapped into a
separate TCP frame. This causes more TCP frames to be generate
that necessary. On fast network this will have no impact, but
reducing the number of frames and thereby the number of
round trips can result in significant speedups on slow and
unreliable networks.
Conflicts:
lib/ssl/src/tls_connection.erl
|
|
Also reduce timing issues in tests
|
|
Record field types have been modified due to commit 8ce35b2:
"Take out automatic insertion of 'undefined' from typed record fields".
|
|
|
|
|
|
This commit adds support for RFC7301, application-layer protocol
negotiation. ALPN is the standard based approach to the NPN
extension, and is required for HTTP/2.
ALPN lives side by side with NPN and provides an equivalent
feature but in this case it is the server that decides what
protocol to use, not the client.
When both ALPN and NPN are sent by a client, and the server is
configured with both ALPN and NPN options, ALPN will always
take precedence. This behavior can also be found in the OpenSSL
implementation of ALPN.
ALPN and NPN share the ssl:negotiated_protocol/1 function for
retrieving the negotiated protocol. The previously existing
function ssl:negotiated_next_protocol/1 still exists, but has
been deprecated and removed from the documentation.
The tests against OpenSSL require OpenSSL version 1.0.2+.
|
|
|
|
|
|
|
