aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src
AgeCommit message (Collapse)Author
2017-04-21ssl: TLS-1.2 clients will now always send hello messages on its own format.Ingela Anderton Andin
Note this is a change form how it works for earlier versions that will send the first hello message on the lowest supported version. From RFC 5246 Appendix E. Backward Compatibility E.1. Compatibility with TLS 1.0/1.1 and SSL 3.0 Since there are various versions of TLS (1.0, 1.1, 1.2, and any future versions) and SSL (2.0 and 3.0), means are needed to negotiate the specific protocol version to use. The TLS protocol provides a built-in mechanism for version negotiation so as not to bother other protocol components with the complexities of version selection. TLS versions 1.0, 1.1, and 1.2, and SSL 3.0 are very similar, and use compatible ClientHello messages; thus, supporting all of them is relatively easy. Similarly, servers can easily handle clients trying to use future versions of TLS as long as the ClientHello format remains compatible, and the client supports the highest protocol version available in the server. A TLS 1.2 client who wishes to negotiate with such older servers will send a normal TLS 1.2 ClientHello, containing { 3, 3 } (TLS 1.2) in ClientHello.client_version. If the server does not support this version, it will respond with a ServerHello containing an older version number. If the client agrees to use this version, the negotiation will proceed as appropriate for the negotiated protocol. If the version chosen by the server is not supported by the client (or not acceptable), the client MUST send a "protocol_version" alert message and close the connection. If a TLS server receives a ClientHello containing a version number greater than the highest version supported by the server, it MUST reply according to the highest version supported by the server. A TLS server can also receive a ClientHello containing a version number smaller than the highest supported version. If the server wishes to negotiate with old clients, it will proceed as appropriate for the highest version supported by the server that is not greater than ClientHello.client_version. For example, if the server supports TLS 1.0, 1.1, and 1.2, and client_version is TLS 1.0, the server will proceed with a TLS 1.0 ServerHello. If server supports (or is willing to use) only versions greater than client_version, it MUST send a "protocol_version" alert message and close the connection. Whenever a client already knows the highest protocol version known to a server (for example, when resuming a session), it SHOULD initiate the connection in that native protocol. Note: some server implementations are known to implement version negotiation incorrectly. For example, there are buggy TLS 1.0 servers that simply close the connection when the client offers a version newer than TLS 1.0. Also, it is known that some servers will refuse the connection if any TLS extensions are included in ClientHello. Interoperability with such buggy servers is a complex topic beyond the scope of this document, and may require multiple connection attempts by the client. Earlier versions of the TLS specification were not fully clear on what the record layer version number (TLSPlaintext.version) should contain when sending ClientHello (i.e., before it is known which version of the protocol will be employed). Thus, TLS servers compliant with this specification MUST accept any value {03,XX} as the record layer version number for ClientHello. TLS clients that wish to negotiate with older servers MAY send any value {03,XX} as the record layer version number. Typical values would be {03,00}, the lowest version number supported by the client, and the value of ClientHello.client_version. No single value will guarantee interoperability with all old servers, but this is a complex topic beyond the scope of this document.
2017-04-13ssl, dtls: Refactor so that DTLS records are handled correctly together with ↵Ingela Anderton Andin
AEAD handling
2017-04-13ssl, dtls: Correct integer type for sequence numberIngela Anderton Andin
2017-04-13dtls: Correct cookie map nameIngela Anderton Andin
2017-04-13dtls: Fix active once emulation for DTLSIngela Anderton Andin
2017-04-05Merge branch 'ingela/ssl/dtls-cookie/OTP-14076'Ingela Anderton Andin
* ingela/ssl/dtls-cookie/OTP-14076: dtls: Implement DTLS cookie secret generation
2017-04-04Merge branch 'maint'Ingela Anderton Andin
Conflicts: OTP_VERSION erts/vsn.mk lib/crypto/c_src/crypto.c lib/crypto/src/crypto.erl lib/ssh/src/ssh.erl
2017-03-30dtls: Implement DTLS cookie secret generationIngela Anderton Andin
2017-03-27ssl: Prepare for releaseIngela Anderton Andin
2017-03-27ssl: Avoid data loss in active onceIngela Anderton Andin
Emulate active once in such a way that data recived by the TLS connection process, but not fetch via active once option by the user, can be delivered at next active once before final close.
2017-03-23Merge branch 'ingela/ssl/dtls-frag'Ingela Anderton Andin
* ingela/ssl/dtls-frag: dtls: Handle overlapping fragments
2017-03-23dtls: Handle overlapping fragmentsIngela Anderton Andin
Fragment reassembling needs to handle that a smaller fragment then sent originally might overlap an earlier received fragment.
2017-03-21ssl: Add connection information itemsIngela Anderton Andin
Add session_id and remove undocumented ssl:session_info/1 Add client_random, server_random and master_secret, they will not be included in ssl:connection_information/1 as they may affect the connections security if used recklessly.
2017-03-16ssl: Remove deprecated functionsIngela Anderton Andin
2017-03-10Update copyright yearRickard Green
2017-03-10dtls: Correct version checkIngela Anderton Andin
2017-03-08Merge branch 'maint'Ingela Anderton Andin
2017-03-08Merge branch 'ingela/ssl/next-maint-version' into maintIngela Anderton Andin
* ingela/ssl/next-maint-version: ssl: Version update
2017-03-07dtls: 'dtlsv1.2' corresponds to 'tlsv1.2'Ingela Anderton Andin
'dtlsv1.2' should not be included in MIN_DATAGRAM_SUPPORTED_VERSIONS as this is the default when crypto does not have sufficient support for 'tlsv1.2' and 'dtlsv1.2'
2017-03-06dtls: Correct dialyzer spec and postpone inclusion of testIngela Anderton Andin
The new_options_in_accept test is not working yet, however DTLS is still work in progress and we want to make a progress merge to avoid merge conflicts with other progress of the ssl application.
2017-03-06dtls: Erlang distribution over DTLS is not supportedIngela Anderton Andin
Erlang distribution requiers a reliable transport, which udp is not. Maybe could be interesting later when SCTP support is added to DTLS.
2017-03-06dtls: Hibernation and retransmit timersIngela Anderton Andin
Change retransmissions timers to use gen_statem state timeouts. We do not need a retransmission timer in the state connection as data traffic in DTLS over UDP is not retransmitted. If the last flight before transitioning into connection is lost, it will be resent when the peer resends its last flight. This will also make hibernation testing more straight forward. We need more adjustments later to handle a reliable DTLS transport such as SCTP.
2017-03-06dtls: Make sure retransmission timers are runIngela Anderton Andin
2017-03-06dtls: DTLS specific handling of socket and ciphersIngela Anderton Andin
DTLS does not support stream ciphers and needs diffrent handling of the "#ssl_socket{}" handle .
2017-02-22Merge branch 'maint'Ingela Anderton Andin
2017-02-21ssl: Always prefer AES over 3DESIngela Anderton Andin
AES256 was preferred over 3DES already, so this only makes sure AES128 is preferred over 3DES also. This changes the default but probably nobody will notice as a better algorithm will be chosen anyhow.
2017-02-15Merge branch 'fix-source-typos'Björn Gustavsson
* fix-source-typos: (25 commits) Fixed typos in system/doc Fixed typos in lib/xmerl Fixed typos in lib/wx Fixed typos in lib/stdlib Fixed typos in lib/snmp Fixed typos in lib/ssl Fixed typos in lib/ssh Fixed typos in PKCS-8.asn1 file Fixed typos in lib/parsetools Fixed typos in lib/orber Fixed typos in lib/mnesia Fixed typos in lib/megaco Fixed typos in lib/kernel Fixed typos in lib/jinterface Fixed typos in lib/inets Fixed typos in lib/hipe Fixed typos in lib/eunit Fixed typos in lib/erl_interface Fixed typos in lib/eldap Fixed typos in lib/edoc ...
2017-02-14Fixed typos in lib/sslAndrew Dryga
2017-02-08ssl: Avoid SSL/TLS hello format confusionIngela Anderton Andin
Valid SSL 3.0 or TLS hellos might accidentally match SSL 2.0 format (and sometimes the other way around before inspecting data) so we need to match SSL 3.0 and TLS first and only match SSL 2.0 hellos when flag to support it is set.
2017-02-01ssl: Simplify configuration codeIngela Anderton Andin
Use map instead of large tuple, which was not an option when the code was written originally. More simplifications along these lines may be done later to the state record.
2017-02-01ssl: Make sure PEM cache works as intendedIngela Anderton Andin
Move of PEM cache to own process was flawed and not all PEM files where cached properly. We must properly handle both the ditributed and the normal mode of the ssl application.
2017-01-27Merge branch 'ingela/ssl/key-ext-validate/ERL-338/OTP-14141' into maintIngela Anderton Andin
* ingela/ssl/key-ext-validate/ERL-338/OTP-14141: ssl: The certificate path may be used as a source to find intermediate CAs for the CRL ssl: Handle more than one DistributionPoint ssl: Correct ssl_certificate:validate/3
2017-01-26ssl: The certificate path may be used as a source to find intermediate CAs ↵Ingela Anderton Andin
for the CRL
2017-01-24ssl: Handle more than one DistributionPointIngela Anderton Andin
2017-01-24ssl: Correct ssl_certificate:validate/3Ingela Anderton Andin
Changes made to ssl_certificate:validate appear to be preventing CRL validation from happening when an id-ce-extKeyUsage extension is present in the cert before the DistributionPoint extension. https://github.com/erlang/otp/blob/448e8aca77dd29ed5b37d56f0700d24ac26a7243/lib/ssl/src/ssl_certificate.erl#L131 See also ERL-338 and PR-1302
2017-01-19ssl: Move PEM cache to a dedicated processIngela Anderton Andin
The PEM cache handling has proven to be too disruptive of the manager process.
2017-01-17ssl: Handle really big handshake packagesIngela Anderton Andin
If a handshake message is really big it could happen that the ssl process would hang due to failing of requesting more data from the socket. This has been fixed. Also added option to limit max handshake size. It has a default value that should be big enough to handle normal usage and small enough to mitigate DoS attacks.
2016-12-21ssl: Version updateIngela Anderton Andin
2016-12-19ssl: Correct terminate behaviourIngela Anderton Andin
When the terminate function is called explicitly, to make guarantees that for instance the reuseaddr option works as expected, we must make sure that the clean up code is not run again when gen_statem calls terminate. This check was broken in the rewrite from gen_fsm to gen_statem. Caused PEM cache errors, that in some cases would cause unexpected connection failures.
2016-12-07Update copyright-yearErlang/OTP
2016-12-05ssl: Implement DTLS state machineIngela Anderton Andin
Beta DTLS, not production ready. Only very basically tested, and not everything in the SPEC is implemented and some things are hard coded that should not be, so this implementation can not be consider secure. Refactor "TLS connection state" and socket handling, to facilitate DTLS implementation. Create dtls "listner" (multiplexor) process that spawns DTLS connection process handlers. Handle DTLS fragmentation. Framework for handling retransmissions. Replay Detection is not implemented yet. Alerts currently always handled as in TLS.
2016-11-02Add ECC curve selection order config in TLS serverFred Hebert
As per RFC 4492 Sec 5.1, the preferred order of selection of named curves is based on client preferences. Currently, the SSL application only picks entries according to the absolute order of entries as tracked in a hardcoded list in code. This patch changes things so that the client-specified order is preferred. It also allows a mode where the server can be configured to override the client's preferred order with its own, although the chosen ECC must still be within both lists. The configuration is done through the following options: - `eccs`, shared by clients and servers alike, allows the specification of the supported named curves, in their preferred order, and may eventually support more values for explicit primes and so on. - `honor_ecc_order`, a server-only option, is similar to `honor_cipher_order` and will, by default let the server pick the client-preferred ECC, and otherwise pick the server-preferred one. The default value for `eccs` is the same as before, although the server-chosen ECC now defaults to the client rather than previous choice. A function `ssl:eccs()` has been added that returns the highest supported ECCs for the library.
2016-10-10Properly filter ssl cipher suites reported as supportedDániel Szoboszlay
Adapted from commit 675ee6860d2c273bcc6c6a0536634a107e2a3d9f. Conflicts: lib/ssl/src/ssl_cipher.erl
2016-10-07Merge branch 'ingela/ssl/cipher-type-spec' into maintIngela Anderton Andin
* ingela/ssl/cipher-type-spec: ssl: Adjust cipher type to conform to implementation
2016-10-05ssl: Adjust cipher type to conform to implementationIngela Anderton Andin
2016-10-04Merge branch 'RoadRunnr/crypto/no-rc4/PR-1169/OTP-13896' into maintRaimo Niskanen
* RoadRunnr/crypto/no-rc4/PR-1169/OTP-13896: disable RC4 in SSL when crypto doesn't support it Fix compilation when OpenSSL doesn't support RC4 Conflicts: lib/crypto/c_src/crypto.c
2016-09-30ssl: Correct anonymous suite handlingIngela Anderton Andin
Test suite did not take TLS-version in to account. Also some anonymous suites where included incorrectly in some TLS versions.
2016-09-28Merge branch 'ingela/ssl/ECC-selection-fix/OTP-13918' into maint-19Erlang/OTP
* ingela/ssl/ECC-selection-fix/OTP-13918: ssl: Correct ECC curve selection, the error could cause default to always be selected.
2016-09-28ssl: Correct ECC curve selection, the error could cause default to always be ↵Ingela Anderton Andin
selected.
2016-09-27ssl: Avoid event reorderingIngela Anderton Andin
Several handshake events may be received in the same TLS packet. Then there will be several events pushed to the gen_statems internal queue. New events already in the socket-buffer should not be processed if there are more unprocessed handshake events in next_event queue. We need to handle this in the next_record/1 function.