Age | Commit message (Collapse) | Author |
|
We want to decrease the size of the outer state tuple, and gain
ease of understanding by better grouping. This is the first step
of creating a hs_env (handshake environment) part of the state.
This change will be performed gradually to reduce merge conflicts
complexity and risk of introducing errors.
|
|
|
|
New internal active N changed timing, and
new check is needed.
|
|
|
|
Conflicts:
lib/ssl/src/tls_connection.erl
|
|
Wtite connection state was not synchronized when peer initiated renegotiation
|
|
Conflicts:
lib/ssl/src/ssl_connection.hrl
lib/ssl/src/tls_connection.erl
|
|
Conflicts:
lib/ssl/src/dtls_connection.erl
lib/ssl/src/ssl_connection.erl
lib/ssl/src/ssl_connection.hrl
lib/ssl/src/tls_connection.erl
lib/ssl/src/tls_record.erl
|
|
|
|
As the stop wrapper functions are no longer needed after tls_sender
that altered the behaviour of the TLS distribution code.
|
|
Both test case and code needed updates to work as intended. Code needed update due to
new tls_sender process and the test case gave false positive reusult erarlier probably
due to beeing to sloopy in order to avoid timeouts.
|
|
|
|
|
|
Rename Connection:handle_common_event Connection:handle_protocol_record
removing use of unnecessary argument and making code easier to understand.
|
|
State values created at init
|
|
Conflicts:
lib/ssl/test/ssl_dist_bench_SUITE.erl
|
|
* raimo/ssl/tls_dist-optimization:
Handle socket close in state downgrade
Handle dead sender at terminate
Handle tls_sender exit properly
Optimize split_bin
Improve dist send throughput
|
|
Conflicts:
lib/ssl/src/dtls_connection.erl
lib/ssl/src/ssl_connection.erl
lib/ssl/src/tls_connection.erl
|
|
Also avoid code duplication
Conflicts:
lib/ssl/src/dtls_connection.erl
lib/ssl/src/tls_connection.erl
|
|
Make next_record an internal help function to next_event and avoid
duplicate calls to tls_socket:setopts for setting the active option.
|
|
|
|
|
|
This change adds the capability to the TLS 1.3 server to process
ClientHello messages and answer with ServerHello.
Change-Id: I13f6cfac932574300338e7301c6162252a591c70
|
|
- Use internal event to transition to the first state of the
TLS 1.3 state machine.
- Add gen_handshake_1_3/4 and gen_info_1_3/4.
Change-Id: I17f12110356c7be4a8dddf9a616df7f181b0ef37
|
|
- Fix handling of hello versions. TLS 1.3 ClientHello will use
TLS 1.3 encoding.
- Fix encoding/decoding of TLS records when record protection
has not yet been engaged (NULL cipher).
Change-Id: I7511d1a7751f1ec8c2f2f2fb3d21ddf80a3f428b
|
|
Change-Id: Ie7409675dd7a35825f32822df259286bbb95fd62
|
|
Change-Id: I2beb99aab1920d866dcdc91f67fc306fc16e9496
|
|
|
|
* ingela/ssl/deliver-all-data-at-close/ERL-731/OTP-15412:
ssl: Extend check for undelivered data at closing
|
|
This is a timing related bug that alas is hard to test
|
|
Change-Id: I4b382a7907247cc2099951fdefa40f1511b1123e
|
|
|
|
Conflicts:
lib/ssl/src/ssl_connection.erl
lib/ssl/src/tls_connection.erl
|
|
With the new TLS sender process, solving ERL-622, TLS ALERTs sent in
the connection state must be encrypted and sent by the TLS sender
process. This to make sure that the correct encryption state is used
to encode the ALERTS. Care must also be taken to ensure a graceful
close down behavior both for normal shutdown and downgrading from TLS
to TCP.
The original TR ERL-738 is verified by cowboy tests, and close down
behavior by our tests. However we alas have not been able to yet
create a minimal test case for the originating problem.
Also it seems it has become less likely that we run in to the TCP
delivery problem, that is the guarantee is only on transport level,
not application level. Keep work around function in ssl_test_lib but
we can have better test as long as we do not get to much wobbling
tests.
|
|
As TLS 1.3 introduces more extensions in other places than in hello messages
we like to have generalize extension handling encode/decode with some
hello wrappers.
Also extend property tests of handshake encod/decode
|
|
|
|
The link should be between the connection process and the tls_sender
process. But the start of the tls_sender process needs to be done
by the process that also starts the connection process in order to
correctly create the opaque #ssl_socket{}.
|
|
Conflicts:
lib/ssl/src/ssl_connection.erl
lib/ssl/src/tls_connection.erl
|
|
We want to make sure that the sender process that may get stuck in
prim_inet:send will die if the tls_connection process is
terminated. And we also like to make sure that it terminates as
gracefully as possible. So when the tls_connection process dies it
spawns a killer process that will brutaly kill the sender if it is
unresponsive and does not terminate due to its monitor of the
tls_connetion process triggering.
When the sender process also acts as distribution controller it
may also have other processess that it is linked with that it
should bring down or that could bring the connection down.
|
|
|
|
Separate sending and receiving when using TCP as transport
as prim_inet:send may block which in turn may result
in a deadlock between two Erlang processes communicating over
TLS, this is especially likely to happen when running Erlang distribution
over TLS.
|
|
- Introduce new macro ALL_TLS_RECORD_VERSIONS to decouple
ALL_AVAILABLE_VERSIONS from the list of valid TLS record
versions. It consists of versions allowed in
TLSCiphertext.version (TLS 1.2 and prior) and
TLSCiphertext.legacy_record_version (TLS 1.3).
- TLS 1.3 sets TLSCiphertext.legacy_record_version to 0x0303
for all records generated other than an initial ClientHello,
where it MAY also be 0x0301.
- TLSPlaintext.legacy_record_version is ignored.
Change-Id: Iabb1a954ab21f8be012e6460ae99ab533e31e123
|
|
|
|
When doing ssl:controlling_process on a ssl socket that has not
performed the TLS/DTLS handshake that call will succeed even though
the documentation stated otherwise. However if some other ssl option
was incorrect the call would hang. Now {error, closed} will be
returned in the latter case, which is logical independent on if it
should succeed or not in the former case. The former case will continue
to succeed, as it is not dependent of the TLS/DTLS connection being
established, and the documentation is altered slightly to not
explicitly disallow it. If the TLS/DTLS connection later fails and
the socket mode is active, the new controlling process will be
notified as expected.
|
|
- Introduce stateful logging levels to the ssl application:
The SSL option 'log_alert' sets log level to notice/warning
if it is set to true/false. Default log level is notice.
- Add new SSL option 'log_level' that overrides the value of
'log_alert'. Default value is notice.
- 'log_level' debug triggers verbose logging of TLS protocol
messages and logging of ignored alerts in DTLS.
Change-Id: I28d3f4029a5d504ec612abe4b9ae0b7d9b115197
|
|
Change-Id: Id52990a105c81373c7c6034df9a2675f9d0e429a
|
|
- Add logging for TLS Handshake messages.
- Remove version from the input map used in format/2.
Change-Id: I1a8a3dbe5854d3b25cca33e9a6634ac9a53d5867
|
|
Change-Id: I18786a9a8523d0ec3d9ca37ad5b2284721c5c4a1
|
|
|
|
|