aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src
AgeCommit message (Collapse)Author
2011-10-24fix handling of block_decipher/5 failureAndreas Schultz
A wrong decryption key would cause a badmatch in generic_block_cipher_from_bin/2. The try in block_decipher/5 was probably intendend to deal with that, but was misplace for this. Additionaly, generating a failure alert erly, without computing the record MAC, creates vector for a timing attack on CBC padding (for details check TLS 1.2 RFC 5246, Sect. 6.2.3.2.). This attach vector and the counter meassure applies to all SSL/TLS versions. As a counter messure, compute the MAC even when decryption or padding checks fail. A invalid padding will force a MAC failure by intentionaly invalidating the content.
2011-10-11Put back ssl:peercert/1Ingela Anderton Andin
I accidentally removed a little too much, only peercert/2 was deprecated.
2011-10-06Merge branch 'ia/ssl/remove-old-ssl/OTP-7048'Ingela Anderton Andin
* ia/ssl/remove-old-ssl/OTP-7048: Remove old ssl implementation and deprecated function ssl:peercert/1 Conflicts: lib/ssl/test/Makefile
2011-10-06Merge branch 'ia/ssl/dist-more-tests'Ingela Anderton Andin
* ia/ssl/dist-more-tests: Better option handling Improve code structure Remove ssl_prim calls that are remains from the old ssl distribution Add payload test
2011-10-04Better option handlingIngela Anderton Andin
Also cleaned up old gaurds.
2011-10-03Improve code structureIngela Anderton Andin
2011-10-03Remove ssl_prim calls that are remains from the old ssl distributionIngela Anderton Andin
2011-09-29Merge branch 'dev' into majorBjörn-Egil Dahlberg
* dev: Update copyright years
2011-09-29Update copyright yearsBjörn-Egil Dahlberg
2011-09-28Merge remote branch 'upstream/dev' into majorIngela Anderton Andin
* upstream/dev: Both the SSLv3 and TLS 1.0/TLS 1.1 specifications require implementations to ignore data following the ClientHello (i.e., extensions) if they do not understand them. fix unknown ssl extension parsing by changing length from bits to bytes Temporary disable tests on MAC due to issus with the MAC ODBC drivers
2011-09-27Both the SSLv3 and TLS 1.0/TLS 1.1 specifications requireIngela Anderton Andin
implementations to ignore data following the ClientHello (i.e., extensions) if they do not understand them. Data not following the protocol format for extensions will be ignored by the last dec_hello_extensions-clause. OTP-8596
2011-09-27fix unknown ssl extension parsing by changing length from bits to bytesBen Murphy
2011-09-20Merge branch 'dev' into majorHenrik Nord
Conflicts: erts/aclocal.m4 erts/include/internal/ethread_header_config.h.in
2011-09-20Merge branch 'ta/docs-fixes' into devHenrik Nord
* ta/docs-fixes: Fix misspelling of intermediate Fix typos in erts/preloaded/src Fix more misspellings of compatibility Fix misspelling of kept Fix misspelling of compatibility in ssl_basic_SUITE Fix misspelling of compatibility Fix misspelling of accommodate Fix misspelling of exceed Fix misspelling of accidentally Fix misspelling of erroneous in xmerl_xsd Fix misspelling of erroneous Fix misspelling of successful Fix typos in instrument(3) Fix typos in dbg(3) dialyzer: fix a small typo in list_to_bitstring test Fix typos in cover.erl Fix typos (variable name) in erl_nif(3) Fix typos in mod_esi(3) Fix trivial typos in erlang(3) OTP-9555
2011-09-16Remove old ssl implementation and deprecated function ssl:peercert/1Ingela Anderton Andin
2011-09-16Merge remote branch 'upstream/dev' into majorIngela Anderton Andin
* upstream/dev: Support explicit use of packet option httph and httph_bin
2011-09-16Support explicit use of packet option httph and httph_binIngela Anderton Andin
2011-09-15Fix more misspellings of compatibilityTuncer Ayaz
2011-09-13Merge branch 'ia/ssl/dist/OTP-7053' into majorIngela Anderton Andin
* ia/ssl/dist/OTP-7053: First fully working version Use ssl instead of being a proxy command Connect from both sides works now
2011-09-09First fully working versionIngela Anderton Andin
2011-09-06Corrected faulty dialyzer specIngela Anderton Andin
2011-09-05Corrected spec name errors: ip_adress -> ip_address port_num -> port_numberIngela Anderton Andin
2011-09-01Connect from both sides works nowDan Gudmundsson
2011-08-31Merge branch 'ia/ssl/use-inet-and-gen-specs' into devIngela Anderton Andin
* ia/ssl/use-inet-and-gen-specs: Use inet and gen_* dialyzer specs
2011-08-31Use inet and gen_* dialyzer specsIngela Anderton Andin
2011-08-30Corrected input argument to error_logger:error_report/1Ingela Anderton Andin
2011-08-08replace "a ssl" with "an ssl"Christian von Roques
2011-06-29Removed global name from the certificate tabelIngela Anderton Andin
We want the certificate table to be handled the same way as the session table and not have a global name, so that we may easier create a separate ssl-manager to handle erlang distribution over ssl.
2011-06-28Merge branch 'ia/ssl/use-erlang-send-after-instead-of-timer-send-after' into devIngela Anderton Andin
* ia/ssl/use-erlang-send-after-instead-of-timer-send-after: Use erlang:send_after instead of timer:send_after Conflicts: lib/ssl/test/ssl_session_cache_SUITE.erl
2011-06-27Use erlang:send_after instead of timer:send_afterIngela Anderton Andin
Also save latest delay cleanup timer ref so that we can use erlang:read_timer to write a more reliable test case.
2011-06-27Handle inet:getopts/2 and inet:setopts/2 crashesIngela Anderton Andin
2011-06-14Changed test case so that we do not have to make ets-table namedIngela Anderton Andin
2011-06-07Prevention of denial of service attackIngela Anderton Andin
2011-06-01The clean up of the session table now works as intended.Ingela Anderton Andin
In ssl-4.1.5 temporary clean-up processes would crash resulting in that the session table would not be cleaned up (e.i. using more and more memory) and error reports would be printed, but connections would not be affected.
2011-05-24Corrected last argument to timer:apply_after also corrected a dilyzer specIngela Anderton Andin
2011-05-17In TLS 1.1, failure to properly close a connection no longer requiresIngela Anderton Andin
that a session not be resumed. This is a change from TLS 1.0 to conform with widespread implementation practice. Erlang ssl will now in TLS 1.0 conform to the widespread implementation practice instead of the specification to avoid performance issues.
2011-05-16OTP-9094: [httpc] Add support for upload body streaming (PUT and POST).Micael Karlberg
Filipe David Manana OTP-9114: [ftp] Added (type) spec for all exported functions. OTP-9123: mod_esi:deliver/2 made to accept binary data. Bernard Duggan OTP-9124: [httpd] Prevent XSS in error pages. Michael Santos OTP-9131: [httpd] Wrong security property names used in documentation. Garrett Smith OTP-9157: [httpd] Improved error messages. Ricardo Catalinas Jim�nez OTP-9158: [httpd] Fix timeout message generated by mod_esi. Bernard Duggan OTP-9202: [httpd] Extended support for file descriptors. Attila Rajmund Nohl OTP-9230: The default ssl kind has now been changed to essl. OTP-9246: [httpc] httpc manager crash because of a handler retry race condition. Merge branch 'bmk/inets/inet56_integration' into dev
2011-05-13Ssl sometimes fails when reusing a sessionIngela Anderton Andin
Invalidation of a session for reusing should first flag that the session may no longer be reused and then later when all possible pending reuses have been handled delete the session from the database. This could otherwise cause the client to terminate due to {badarg,[{erlang,byte_size,[undefined]}, and the server to terminate due to {{badmatch,{resumed,undefined}}.
2011-05-12Calling gen_tcp:connect with option {ip, {127,0,0,1}} results in an exit withMicael Karlberg
reason badarg. Neither SSL nor INETS catches this, resulting in crashes with incomprehensible reasons. OTP-9289
2011-05-12Calling gen_tcp:connect with option {ip, {127,0,0,1}} results in an exit withMicael Karlberg
reason badarg. Neither SSL nor INETS catches this, resulting in crashes with incomprehensible reasons. OTP-9289
2011-05-05Spec correctionsIngela Anderton Andin
2011-05-04Dialyzer spec fixIngela Anderton Andin
2011-04-29Changed iolist() to iodata()Ingela Anderton Andin
ssl:send/2 takes iodata() as a second argument. erlang:iolist_to_binary should really be called erlang:iodata_to_binary which caused the mismatch in the first place.
2011-04-15Prepare for releaseIngela Anderton Andin
2011-03-24Merge branch 'ia/public_key/encode-decode-ssh/OTP-9144' into devIngela Anderton Andin
* ia/public_key/encode-decode-ssh/OTP-9144: Implemented encode/decode support for ssh public key files
2011-03-24Implemented encode/decode support for ssh public key filesIngela Anderton Andin
2011-03-11Update copyright yearsBjörn-Egil Dahlberg
2011-03-08Merge branch 'ia/ssl/prepare-release' into devIngela Anderton Andin
* ia/ssl/prepare-release: Prepare for release
2011-03-07Prepare for releaseIngela Anderton Andin
2011-03-07Add the option { hibernate_after, int() } to ssl:connect and ssl:listenJeroen Koops
When making an SSL connection (either as client or as server), the process implementing the connection may use as much as hundreds of kilobytes of memory, even when idle. This is problematic for any application maintaining more than just a few SSL connections. This patch introduces the option { hibernate_after, int() } to the ssl:connect and ssl:listen functions, making the SSL connection process go into hibernation after the specified number of milliseconds of inactivity. This will reduce the memory used by the process to just a few hundred bytes, making applications with thousands or more SSL connections feasible, as long as most of the connections are idle for most of the time (which is typically the case). The approach of making the process go into hibernation only after some time of inactivity was chosen because hibernation incurs some CPU usage, and it is therefore not desirable for a process to hibernate after each call.
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-01 10:24:54 +0000