aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src
AgeCommit message (Collapse)Author
2015-09-18ssl: Correct soft upgrade testIngela Anderton Andin
Soft upgrade test did not work as expected due to that the upgrade frame work keeps the control of the test case process to itself, so we need a proxy process to receive messages from ssl test framework.
2015-09-16ssl: Prepare for releaseIngela Anderton Andin
We do not want ssl_soft_upgrade_SUITE to fail, but for now we do not know the details of these changes so we use a general fallback for now.
2015-09-16Merge branch 'ia/ssl/register-unique-session/OTP-12980' into maintIngela Anderton Andin
* ia/ssl/register-unique-session/OTP-12980: ssl: Correct return value of default session callback module
2015-09-16ssl: Better timeout gaurdsIngela Anderton Andin
2015-09-16ssl: Improve shutdown logicIngela Anderton Andin
Add possibility to downgrade an SSL/TLS connection to a tcp connection, and give back the socket control to a user process. Add application setting to be able to change fatal alert shutdown timeout, also shorten the default timeout. The fatal alert timeout is the number of milliseconds between sending of a fatal alert and closing the connection. Waiting a little while improves the peers chances to properly receiving the alert so it may shutdown gracefully.
2015-09-15ssl: Correct return value of default session callback moduleIngela Anderton Andin
ssl_session_cache:select_session/2 returned [sesionid(), #session{}] instead of #session{} as the API demands. This was wrongly compensated for in the code in one place making it look like everything was good. But the client check for unique session would always fail, potentially making the client session table grow a lot and causing long setup times.
2015-09-08Accept 'ECPrivateKey' as a ssl key optionYuki Ito
2015-06-18Change license text to APLv2Bruce Yinhe
2015-06-15Merge branch 'ia/ssl/unknown-hash/OTP-12829'Ingela Anderton Andin
* ia/ssl/unknown-hash/OTP-12829: ssl: Add unassigned values ssl: Do not crash on proprietary hash_sign algorithms
2015-06-10Merge branch 'ferd/deny-client-renegotiation'Henrik Nord
* ferd/deny-client-renegotiation: Add disable client-initiated renegotiation option Conflicts: lib/ssl/doc/src/ssl.xml lib/ssl/src/ssl.erl OTP-12815
2015-06-10ssl: Add unassigned valuesIngela Anderton Andin
2015-06-08ssl: Do not crash on proprietary hash_sign algorithmsIngela Anderton Andin
TLS hash_sign algorithms may have proprietary values see http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml We should add callbacks to let applications handle them. But for now we do not want to crash if they are present and let other algorithms be negotiated.
2015-06-08ssl: Update appup for 18Ingela Anderton Andin
2015-06-03Add disable client-initiated renegotiation optionFred Hebert
Client-initiated renegotiation is more costly for the server than the client, and this feature can be abused in denial of service attempts. Although the ssl application already takes counter-measure for these (via cooldown periods between renegotiations), it can be useful to disable the feature entirely. This patch adds the `{client_renegotiation, boolean()}' option to the server-side of the SSL application (defaulting to `true' to be compatible with the current behaviour). The option disables the ability to do any renegotiation at all in the protocol's state, reusing the existing denial code, but without opening the code path that sets up a timed message to eventually reopen it up.
2015-06-02Merge branch 'tombriden/handle_ssl_error'Henrik Nord
* tombriden/handle_ssl_error: TLS Dist: Handle ssl_error and close ssl socket OTP-12799
2015-06-02Merge branch 'maint'Henrik Nord
Conflicts: OTP_VERSION lib/inets/test/httpd_SUITE.erl lib/inets/vsn.mk lib/ssh/src/ssh.erl lib/ssh/vsn.mk lib/ssl/src/ssl.appup.src lib/ssl/vsn.mk
2015-05-29ssl: Prepare for releaseIngela Anderton Andin
2015-05-29ssl: Correct handling of bad input to premaster_secret calculationIngela Anderton Andin
alert records needs to be thrown from ssl_handshake:premaster_secret/[2/3] so that operations will end up in the catch clause of the invokation of certify_client_key_exchange/3 in ssl_connection.erl, and hence terminate gracefully and not continue to try and calculate the master secret with invalid inputs and crash.
2015-05-12ssl: Refactored and corrected sni_fun handlingIngela Anderton Andin
Dialyzer warned about the incorrect match of Packets. Code was refactored and the problem avoided in the process. Dialyzer warned that the empty tuple is not a function as the contract said it should be. Changed the handling of the sni_fun default value to be undefined and added it to the contract.
2015-05-12ssl: add option sni_funQijiang Fan
The newly added function sni_fun allows dynamic update of SSL options like keys and certificates depending on different SNI hostname, rather than a predefined rules of SSL options.
2015-05-12ssl: add ssl:connection_information/[1,2]Qijiang Fan
This commit adds a new function, ssl:connection_information/[1,2] to retrive the connection information from a SSLSocket. And also, this deprecates a function ssl:connection_info/1, and reimplements connection_info/1 with the new function.
2015-05-12ssl: deny recursively defined sni_hostsQijiang Fan
2015-05-12ssl: add SNI server supportQijiang Fan
2015-04-29TLS Dist: Handle ssl_error and close ssl socketTom Briden
In some instances, restarting a node causes a fatal SSL error on the other nodes which isn't handled leaving the socket open. Eventually the nodes will net tick timeout but the node being restarted never comes back to life By handling the fatal error and closing the socket, the restarting node can restart successfully even when the ssl error occurs
2015-04-20ssl: Ignore signature_algorithm (TLS 1.2 extension) sent to TLS 1.0/1 serverAndreas Schultz
pre TLS 1.2 server should ignore the signature_algorithms extension. The server code would attempt to select the signature/hash algorithm even when using TLS 1.0 or 1.1. Instead it should simply use the default algorithm on those versions.
2015-04-20ssl: Adjust to public_key application removing legacy compact_bit_string switchIngela Anderton Andin
2015-04-16ssl: Add runtime depenency due to commit ↵Ingela Anderton Andin
4e0a5e36b38e3f15ed8f7d700d26f2424a47111c
2015-03-23ssl: Dialyzer fixesIngela Anderton Andin
2015-03-17ssl: Add TLS-ALPN supportLoïc Hoguin
This commit adds support for RFC7301, application-layer protocol negotiation. ALPN is the standard based approach to the NPN extension, and is required for HTTP/2. ALPN lives side by side with NPN and provides an equivalent feature but in this case it is the server that decides what protocol to use, not the client. When both ALPN and NPN are sent by a client, and the server is configured with both ALPN and NPN options, ALPN will always take precedence. This behavior can also be found in the OpenSSL implementation of ALPN. ALPN and NPN share the ssl:negotiated_protocol/1 function for retrieving the negotiated protocol. The previously existing function ssl:negotiated_next_protocol/1 still exists, but has been deprecated and removed from the documentation. The tests against OpenSSL require OpenSSL version 1.0.2+.
2015-03-16ssl: Fix incorrect argument handling, thanks to dialyzerIngela Anderton Andin
2015-03-11ssl: Dialyzer fixesIngela Anderton Andin
2015-03-09ssl: Integrate public_key CRL verification with the ssl applicationIngela Anderton Andin
2015-03-05Merge branch 'maint'Ingela Anderton Andin
Conflicts: lib/ssl/src/ssl_cipher.erl lib/ssl/test/ssl_basic_SUITE.erl
2015-03-02ssl: Implement support for TLS_FALLBACK_SCSVIngela Anderton Andin
2015-02-18ssl: remove -> deleteIngela Anderton Andin
Correct mistake
2015-02-13ssl: Prepare for 18Ingela Anderton Andin
2015-02-09Merge branch 'maint'Ingela Anderton Andin
2015-02-09ssl: erlang:timestamp -> os:timestampIngela Anderton Andin
For comparison with file time stamps os:timestamp makes more sense and is present in 17 as well as 18.
2015-02-06Merge branch 'maint'Ingela Anderton Andin
Conflicts: lib/ssl/doc/src/ssl_app.xml lib/ssl/src/ssl_manager.erl
2015-02-06ssl: Improve PEM cache by validating entriesIngela Anderton Andin
The PEM cache is now validated by a background process, instead of always keeping it if it is small enough and clearing it otherwhiss. That strategy required that small caches where cleared by API function if a file changes on disk. However document the clearing API function as it can still be usefull.
2015-02-02Merge branch 'maint'Ingela Anderton Andin
2015-01-30ssl: Remove selfsigned anchor certificate from the certificate chainIngela Anderton Andin
A selfsigned trusted anchor should not be in the certifcate chain passed to the certificate path validation. Conflicts: lib/ssl/src/ssl_certificate.erl
2015-01-23ssl: Remove default support for RC4 ciphersIngela Anderton Andin
2015-01-23ssl: Reenable padding check for TLS-1.0 and provide backwards compatibleIngela Anderton Andin
disable option
2015-01-23ssl: Remove sslv3 from the default supported protocol versionsIngela Anderton Andin
2015-01-23ssl: Reenable padding check for TLS-1.0 and provide backwards compatibleIngela Anderton Andin
disable option Conflicts: lib/ssl/src/ssl_cipher.erl lib/ssl/src/ssl_record.erl lib/ssl/src/tls_record.erl lib/ssl/test/ssl_cipher_SUITE.erl
2014-12-03Merge branch 'maint'Ingela Anderton Andin
2014-12-03ssl: Correct appupIngela Anderton Andin
2014-12-02Merge branch 'maint'Ingela Anderton Andin
2014-12-01ssl: Prepare for releaseIngela Anderton Andin