aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src/tls_connection.erl
AgeCommit message (Collapse)Author
2016-01-21ssl: Fix timing releated bugIngela Anderton Andin
2015-12-11ssl: fix hibernate_after with instant or near instant timeoutsAndrey Mayorov
2015-11-18ssl: Client should send the hello message in the lowest version it is ↵Ingela Anderton Andin
willing to support Refactor highest_protocol_version so that code is symmetrical with lowest_protocol_version. For clarity and possible future use cases of highest_protocol_version/2
2015-09-16ssl: Improve shutdown logicIngela Anderton Andin
Add possibility to downgrade an SSL/TLS connection to a tcp connection, and give back the socket control to a user process. Add application setting to be able to change fatal alert shutdown timeout, also shorten the default timeout. The fatal alert timeout is the number of milliseconds between sending of a fatal alert and closing the connection. Waiting a little while improves the peers chances to properly receiving the alert so it may shutdown gracefully.
2015-06-18Change license text to APLv2Bruce Yinhe
2015-06-10Merge branch 'ferd/deny-client-renegotiation'Henrik Nord
* ferd/deny-client-renegotiation: Add disable client-initiated renegotiation option Conflicts: lib/ssl/doc/src/ssl.xml lib/ssl/src/ssl.erl OTP-12815
2015-06-03Add disable client-initiated renegotiation optionFred Hebert
Client-initiated renegotiation is more costly for the server than the client, and this feature can be abused in denial of service attempts. Although the ssl application already takes counter-measure for these (via cooldown periods between renegotiations), it can be useful to disable the feature entirely. This patch adds the `{client_renegotiation, boolean()}' option to the server-side of the SSL application (defaulting to `true' to be compatible with the current behaviour). The option disables the ability to do any renegotiation at all in the protocol's state, reusing the existing denial code, but without opening the code path that sets up a timed message to eventually reopen it up.
2015-05-12ssl: Refactored and corrected sni_fun handlingIngela Anderton Andin
Dialyzer warned about the incorrect match of Packets. Code was refactored and the problem avoided in the process. Dialyzer warned that the empty tuple is not a function as the contract said it should be. Changed the handling of the sni_fun default value to be undefined and added it to the contract.
2015-05-12ssl: add option sni_funQijiang Fan
The newly added function sni_fun allows dynamic update of SSL options like keys and certificates depending on different SNI hostname, rather than a predefined rules of SSL options.
2015-05-12ssl: add SNI server supportQijiang Fan
2015-03-17ssl: Add TLS-ALPN supportLoïc Hoguin
This commit adds support for RFC7301, application-layer protocol negotiation. ALPN is the standard based approach to the NPN extension, and is required for HTTP/2. ALPN lives side by side with NPN and provides an equivalent feature but in this case it is the server that decides what protocol to use, not the client. When both ALPN and NPN are sent by a client, and the server is configured with both ALPN and NPN options, ALPN will always take precedence. This behavior can also be found in the OpenSSL implementation of ALPN. ALPN and NPN share the ssl:negotiated_protocol/1 function for retrieving the negotiated protocol. The previously existing function ssl:negotiated_next_protocol/1 still exists, but has been deprecated and removed from the documentation. The tests against OpenSSL require OpenSSL version 1.0.2+.
2015-01-23ssl: Reenable padding check for TLS-1.0 and provide backwards compatibleIngela Anderton Andin
disable option
2015-01-23ssl: Reenable padding check for TLS-1.0 and provide backwards compatibleIngela Anderton Andin
disable option Conflicts: lib/ssl/src/ssl_cipher.erl lib/ssl/src/ssl_record.erl lib/ssl/src/tls_record.erl lib/ssl/test/ssl_cipher_SUITE.erl
2014-09-10ssl: Prepare for release - soft upgradeIngela Anderton Andin
2014-06-11ssl: Make sure change cipher spec is correctly handledIngela Anderton Andin
2014-06-03ssl: Workaround that gen_fsm does not call CB:format_status when CB:terminateIngela Anderton Andin
crashes.
2014-05-27ssl: Add format_status function to ssl connection processIngela Anderton Andin
2014-05-26ssl: Add ssl options to listen options trackerIngela Anderton Andin
2014-05-26ssl: Move initIngela Anderton Andin
2014-04-30ssl: Add checks to avoid processing of illegal alertsIngela Anderton Andin
2014-04-23ssl: Fix crash on garbage during handshakeDanil Zagoskin
If a client sends some garbage in ssl record instead of valid fragment, server crashes with function_clause while receiving next record from client. This patch makes server raise handshake failure instead of crashing and exposing internal state to user code.
2014-04-23ssl: always pass negotiated version when selecting hashsignDanil Zagoskin
Negotiated version is now always passed to ssl_handshake:select_hashsign because ssl_handshake:select_cert_hashsign has different rsa defaults on tlsv1.2 and older versions.
2014-04-17ssl: Graceful handling of warning alertsIngela Anderton Andin
Generalize last warning alert function clause
2014-01-14ssl: fix elliptic curve selection in server modeAndreas Schultz
The server code erroneously took the list of curves supported by the client from it's own hello extension, effectively breaking curve selection all together. Also the default fallback secp256k1 curve is not supported by all clients. secp256r1 is recommended as part of the NIST Suite B cryptographic suites. The chances are much better that all clients support it, so use that as fallback.
2013-12-02ssl: Trap exitsIngela Anderton Andin
2013-12-02ssl: Refactor connetion handlingIngela Anderton Andin
2013-12-02ssl: API and supervisorIngela Anderton Andin
2013-12-02ssl: Dialyzer fixesIngela Anderton Andin
2013-12-02ssl: Refactor APIIngela Anderton Andin
New design : ssl - Main tls - Reflect tls specific semantics dtls - Reflect dtls specific semantics
2013-12-02ssl: Refactor connection and handshake handlingIngela Anderton Andin
2013-10-14ssl: Honor TLS client ECC extensionIngela Anderton Andin
Also the server should only send ECC point formats extension not ECC curve extension.
2013-09-10ssl: Refactor TLS/DTLS record handlingIngela Anderton Andin
2013-09-10ssl: Solve rebase issuesIngela Anderton Andin
2013-09-10ssl: Refactor to provide common handshake functions for TLS/DTLSIngela Anderton Andin
Common functions will be located in ssl_handshake.erl while specific functions will be located in tls_handshake.erl and dtls_handshake.erl
2013-09-02ssl: Handle signature_algorithm field in digitally_signed properlyIngela Anderton Andin
with proper defaults Added ssl_ECC_SUITE
2013-08-28ssl: Make the ssl manager name for erlang distribution over SSL/TLSIngela Anderton Andin
relative to the module name of the ssl_manager. This can be beneficial when making tools that rename modules for internal processing in the tool.
2013-08-23Merge branch 'maint-r16' into maintFredrik Gustafsson
2013-08-23Merge branch 'maint-r15' into maint-r16Fredrik Gustafsson
Conflicts: lib/inets/doc/src/notes.xml lib/inets/src/http_lib/http_transport.erl lib/inets/src/inets_app/inets.appup.src lib/inets/vsn.mk lib/ssl/doc/src/notes.xml lib/ssl/src/ssl.appup.src lib/ssl/src/ssl.erl lib/ssl/src/ssl_internal.hrl lib/ssl/src/tls_connection.erl lib/ssl/vsn.mk
2013-08-12Merge branch 'ia/ssl/header-bug/OTP-11230' into maintIngela Anderton Andin
* ia/ssl/header-bug/OTP-11230: ssl: Revert faulty header option fix
2013-08-08ssl: Revert faulty header option fixIngela Anderton Andin
The code was changed in the belife that it made it inet compatible. However the testing is a bit hairy as the inet option is acctualy broken, now the tests are corrected and the header option should work in the same broken way as inet again, preferably use the bitsyntax instead.
2013-08-07ssl: Setopts during renegotiation caused the renegotiation to be unsuccessful.Ingela Anderton Andin
If calling setopts during a renegotiation the FSM state might change during the handling of the setopts messages, this is now handled correctly.
2013-06-07ssl: Correct rebase mistakesIngela Anderton Andin
2013-06-04ssl: Structural perarparation to support DTLSIngela Anderton Andin
Also phase in tls module as main API instead of ssl. To make API clearer. As TLS is the new protocol name. Maybe keep some API functions in ssl