Age | Commit message (Collapse) | Author |
|
If a client sends some garbage in ssl record instead of
valid fragment, server crashes with function_clause while
receiving next record from client.
This patch makes server raise handshake failure instead of
crashing and exposing internal state to user code.
|
|
Negotiated version is now always passed to ssl_handshake:select_hashsign
because ssl_handshake:select_cert_hashsign has different rsa defaults on
tlsv1.2 and older versions.
|
|
Generalize last warning alert function clause
|
|
The server code erroneously took the list of curves supported by the
client from it's own hello extension, effectively breaking curve
selection all together.
Also the default fallback secp256k1 curve is not supported by
all clients. secp256r1 is recommended as part of the NIST Suite B
cryptographic suites. The chances are much better that all clients
support it, so use that as fallback.
|
|
|
|
|
|
|
|
|
|
New design : ssl - Main
tls - Reflect tls specific semantics
dtls - Reflect dtls specific semantics
|
|
|
|
Also the server should only send ECC point formats extension not ECC curve
extension.
|
|
|
|
|
|
Common functions will be located in ssl_handshake.erl while
specific functions will be located in tls_handshake.erl and dtls_handshake.erl
|
|
with proper defaults
Added ssl_ECC_SUITE
|
|
relative to the module name of the ssl_manager.
This can be beneficial when making tools that rename modules for internal
processing in the tool.
|
|
|
|
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/http_lib/http_transport.erl
lib/inets/src/inets_app/inets.appup.src
lib/inets/vsn.mk
lib/ssl/doc/src/notes.xml
lib/ssl/src/ssl.appup.src
lib/ssl/src/ssl.erl
lib/ssl/src/ssl_internal.hrl
lib/ssl/src/tls_connection.erl
lib/ssl/vsn.mk
|
|
* ia/ssl/header-bug/OTP-11230:
ssl: Revert faulty header option fix
|
|
The code was changed in the belife that it made it inet compatible.
However the testing is a bit hairy as the inet option is acctualy
broken, now the tests are corrected and the header option should work
in the same broken way as inet again, preferably use the bitsyntax
instead.
|
|
If calling setopts during a renegotiation the FSM state might change
during the handling of the setopts messages, this is now handled correctly.
|
|
|
|
Also phase in tls module as main API instead of ssl. To
make API clearer. As TLS is the new protocol name.
Maybe keep some API functions in ssl
|