Age | Commit message (Collapse) | Author |
|
Changed the verify fun so that it differentiate between the peer
certificate and CA certificates by using valid_peer or valid as the
second argument to the verify fun. It may not always be trivial or
even possible to know when the peer certificate is reached otherwise.
|
|
Added the functionality so that the verification fun will be called
when a certificate is considered valid by the path validation to allow
access to eachs certificate in the path to the user application.
Removed clause that only check that a extension is not critical,
it does alter the verification rusult only withholds information from
the application.
Try to verify subject-AltName, if unable to verify it let
application try.
|
|
|
|
Changed the behavior of the verify_fun option so that
the application can be responsible for handling path validation
errors even on the server side. Also replaced the not yet
documented validate_extensions_fun to be handled by the
verify_fun instead.
If the verify callback fun returns {fail, Reason}, the verification process is
immediately stopped and an alert is sent to the peer and the TLS/SSL
handshake is terminated. If the verify callback fun returns {valid,
UserState}, the verification process is continued. If the verify callback
fun always returns {valid, UserState}, the TLS/SSL handshake will not be
terminated with respect to verification failures and the connection
will be established. The verify callback fun will also be
able to verify application specific extensions.
|
|
Added support for inputing certificates and keys directly in DER format
these options will override the pem-file options if specified.
|
|
|
|
Handling of unkown CA certificats was changed in ssl and
public_key to work as intended.
In the process of doing this some test cases has been corrected as
they where wrong but happened to work together with the
incorrect unknown CA handling.
|
|
* dgud/ssl/handskake_client_key/OTP-8793:
Fix handshake problem with multiple messages in one packet
|
|
Empty packets where not delivered from ssl, it incorrectly assumed
there was no data.
|
|
If hello and client_key_exchange message is sent together in
the same packet, ssl can't handle it and closes the connection.
Also fixed compiler warning.
|
|
Fixed handling of the option {mode, list} that was broken for some
packet types for instance line.
|
|
This corrects the returned data to be in list format, not binary if
both {packet, line} and list are set as option.
|
|
* ia/ssl-interop/OTP-8740:
Do not check the padding for TLS 1.0
|
|
* ia/public_key_api/OTP-8722:
Revise the public_key API
Resolved, version is now 0.8.
Conflicts:
lib/public_key/vsn.mk
|
|
Cleaned up and documented the public_key API to
make it useful for general use.
|
|
in client hello message when a client certificate is used
The client hello message now always include ALL available cipher suites
(or those specified by the ciphers option). Previous implementation would
filter them based on the client certificate key usage extension (such
filtering only makes sense for the server certificate).
|
|
For interoperability reasons we do not check the padding in TLS 1.0 as
it is not strictly required and breaks interopability with for
instance Google.
|
|
instead of causing a case-clause.
|
|
|
|
|
|
Started to improve code documentation by using -spec directive, and
some small refactorings to avoid ugly code.
|
|
Ssl has now switched default implementation and removed deprecated
certificate handling. All certificate handling is done by the public_key
application.
|
|
Ssl has now switched default implementation and removed deprecated
certificate handling. All certificate handling is done by the public_key
application.
|
|
(This is the merge of r13 version to r14_dev)
|
|
New ssl now support client/server-certificates signed by dsa keys.
|
|
This was broken during a refactoring of the code.
|
|
|
|
wrong shell!
|
|
|
|
|
|
|
|
|
|
it before sending the fatal alert, even though documentation suggests
the socket will be flushed on linux as an effect of setting the nodelay option.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
future.
|
|
|
|
New ssl now supports secure renegotiation as described by RFC 5746.
|
|
Alert handling has been improved to better handle unexpected but valid
messages and the implementation is also changed to avoid timing related
issues that could cause different error messages depending on network
latency. Packet handling was sort of broken but would mostly work as
expected when socket was in binary mode. This has now been fixed.
|
|
|
|
Temporary set the inet options on listen socket before doing accept
so that the correct options will be inherited by the accept socket.
Reset the options afterwards so that repeated use of listen socket
get user set values.
|