| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Peter Lemenkov <[email protected]>
|
|
* legoscia/ssl/tls-dist-more-opts/PR-956/OTP-13429:
Quote curly brackets in command line options
Avoid disappearing ETS tables in ssl_dist_SUITE
Fix db handle for TLS distribution crl_cache opts
Fix ssl_dist_SUITE logging on Windows
More logging in ssl_dist_SUITE
TLS distribution: crl_check and crl_cache options
Allow passing verify_fun for TLS distribution
More informative malformed_ssl_dist_opt error
|
|
If the -epmd_module flag has been specified on the command line, use
that module to register and look up node names instead of the default,
erl_epmd.
Also document this option.
|
|
* henrik/update-copyrightyear:
update copyright-year
|
|
In ssl_tls_dist_proxy:accept_loop/3, handle {error, closed} by
exiting normally. This prevents a spurious error report at node
shutdown.
|
|
Allow specifying the crl_check and crl_cache options for TLS
distribution connections.
|
|
Accept a value of the form {Module, Function, State} from the command
line. This is different from the {Fun, State} that ssl:connect etc
expect, since there's no clean way to parse a fun from a command line
argument.
|
|
|
|
|
|
* legoscia/tls_ipv6_dist:
Add inet6_tls_dist, for TLS distribution over IPv6
Conflicts:
lib/ssl/src/ssl_tls_dist_proxy.erl
OTP-13391
|
|
* legoscia/tls-dist-listen-ip:
TLS distribution: bind erts socket to localhost
OTP-13300
|
|
Generalise much of inet_tls_dist, so that inet6_tls_dist can reuse it.
|
|
* legoscia/tls-dist-connect-options:
ssl_dist_SUITE: don't use deprecated functions
TLS distribution: support inet_dist_connect_options
OTP-13285
|
|
* legoscia/tls_dist_wait_for_code_server:
TLS distribution: wait for code server
OTP-13268
|
|
Allow adding extra options for outgoing TLS distribution connnections,
as supported for plain TCP connections.
|
|
* legoscia/tls_dist_error_reporting:
Report bad options for outgoing TLS distribution
Save error reasons for TLS distribution connections
Report bad options for TLS distribution connections
OTP-13219
|
|
There is no reason for the socket on the erts side of the proxy to
accept connections from other hosts, so let's bind it to the loopback
interface.
Also change {ip, {127,0,0,1}} to {ip, loopback} for the erts side of
the socket for outgoing connections, to avoid hardcoding IPv4.
|
|
If ssl:connect/3 returns an error related to options, let's log that
so we have a chance to see it and fix it.
|
|
* legoscia/tls_dist_options:
Test interface listen option for TLS distribution
Test socket listen options for TLS distribution
Test port options for TLS distribution
TLS Dist: Use inet_dist_ options
Conflicts:
lib/ssl/src/ssl_tls_dist_proxy.erl
lib/ssl/test/ssl_dist_SUITE.erl
OTP-12838
|
|
* legoscia/tls_dist_nodelay:
Add test for dist_nodelay option
Honour dist_nodelay socket option in tls_dist proxy
OTP-13143
|
|
Add test that checks that the option inet_dist_listen_options is used
when starting a node with TLS distribution.
This test was adapted from inet_dist_options_options in
erl_distribution_SUITE.
|
|
The inet_dist_ options, such as min/max port numbers aren't used
with TLS distribution. This commits uses those settings in the
same way as they're used in inet_tcp_dist.erl
|
|
As described in the comments in the patch, doing a TLS handshake
requires the crypto module to be loaded. The crypto module needs the
code server to find its NIF library. However, there is a time window
between opening the listening ports for distribution and starting the
code server, and if we get an incoming connection in that time window,
the node would believe that it's alive, but it wouldn't actually
accept any more connections.
|
|
If ssl:ssl_accept/2 returns an error related to options, it's most
likely something we want to log. In particular, if the specified
certificate file doesn't exist, this is where the error ends up, so we
shouldn't just throw the error away.
|
|
The duplicate_name error returned from erl_epmd:register_node elicits a
particularly precise error message from net_kernel, so let's pass it
along to our caller.
Not doing this for the other things that could go wrong here, since for
those having the line number will likely aid debugging.
|
|
|
|
If a plaintext cluster has nodelay=1 then so should the tls cluster;
significant performance issues have been seen when nodelay isn't set
|
|
In some instances, restarting a node causes a fatal SSL error on
the other nodes which isn't handled leaving the socket open. Eventually
the nodes will net tick timeout but the node being restarted never
comes back to life
By handling the fatal error and closing the socket, the restarting
node can restart successfully even when the ssl error occurs
|
|
|
|
|
|
* pg/fix-ssl_tls_dist_proxy-setup-loop:
Fix setup loop of SSL TLS dist proxy
OTP-9915
OTP-9916
|
|
Fix a bug where the caller would timeout and ssl_tls_dist_proxy would
crash.
Fix a bug where a timeout from the SSL layer would block the
distribution forever (typically when a non-SSL node tries to connect to an
SSL node).
Add this very case as a test (test_server tries to connect to SSL nodes).
Run the proxy exclusively on the loopback interface.
|
|
The proxy socket or the SSL socket can be closed during the setup phase.
In such situations, the proxy processes must exit nicely, to avoid any
leak of processes waiting forever for data from closed sockets.
|
|
Also cleaned up old gaurds.
|
|
|
|
|
