| Age | Commit message (Collapse) | Author |
|---|
|
A #sslsocket{} contains the fsm pid and value that was previously set to
old_ssl or new_ssl to make the transition period smoother. Now that old
ssl is not supported any more we use this field to store the inet socket
reference instead. This enables some API functions to return quicker
as they do not need to communicate with the fsm-process.
|
|
same as in gen_tcp.
Made error handling of listen sockets as arguments to funtions
expecting a connected socket more inet/gen_tcp like.
|
|
* ia/ssl/npn/OTP-10361:
ssl: Shorten test case names to workaround ct shortcomings on windows
ssl: SSL 3.0 does not support next protocol negotiation
ssl: Dialyzer fixes and code cleaning
ssl: Changed default behaviour of next protocol negotiation to make more "sense" (be true to the specification).
ssl: Update SSL docs for SSL Next Protocol Support
ssl: Support for SSL Next Protocol Negotiation * http://technotes.googlecode.com/git/nextprotoneg.html
|
|
|
|
Also shorten test cases names to workaround test framework problems
on windows
|
|
Types in a record where wrongly type specified, did not include
undefined. Make them comments for now, maybe we will specify internal
records with dialyzer types later, but as the other record fields are
not specified at the moment, with dialyzer types, make the code
consistent.
|
|
more "sense" (be true to the specification).
|
|
* http://technotes.googlecode.com/git/nextprotoneg.html
|
|
|
|
|
|
utf8 and close down gracefully if other ASN-1 errors occur.
The reason certificate_unknown that is used as ALERT for ASN-1 encoding failure is described as:
Some other (unspecified) issue arose in processing the
certificate, rendering it unacceptable.
|
|
* ia/sslv3-alert/OTP-10196:
ssl: Add missing sslv3 alert
|
|
|
|
|
|
Tickets solved by this branch: OTP-8871, OTP-8872 and OTP-9908
|
|
|
|
|
|
This options is useless and should be deprecated. But we behave
as inet does for now!
|
|
with TLS 1.2 the hash and signature on a certify message can
differ from the defaults. So we have to make sure to always
use the hash and signature algorithm indicated in the
handshake message
|
|
combinations
|
|
This is also avoids triggering some bugs in OpenSSL.
|
|
|
|
|
|
|
|
|
|
As we did not yet support IDEA ciphers and they have now become deprecated we
skip supporting them altogether.
|
|
|
|
|
|
|
|
TLS 1.2 introduces changes on how signatures
are calculate and encoded. This makes the
signature handling version aware
|
|
|
|
|
|
|
|
TLS 1.2 allows to negotiate the used PRF,
additional the default PRF uses a different
hash. This change make the PRF selectable
and hardwires the PRF for TLS < 1.2
|
|
dh parameter verification is done differently with TLS 1.2.
Prepare for that by passing the verion to verify_dh_params.
|
|
TLS 1.2 changes the layout of several handshake
records. This adds the TLS version to dec_hs/2
so it can decode those.
|
|
TLS 1.2 changed the way digital signatures are
done. key_exchange/3 needs to pass the version
to it.
|
|
|
|
With TLS 1.2 the handling of the IV in cipher blocks
changed. This prepares ssl_cipher:cipher/5 for that
change by passing the TLS version into it and allowing
generic_block_cipher_from_bin/4 to overload the IV.
|
|
TLS/SSL version before 1.2 always used a MD5/SHA combination
for the handshake hashes. With TLS 1.2 the default hash is
SHA256 and it is possible to negotiate a different hash.
This change delays the calculation of the handshake
hashes until they are really needed. At that point the hash
to use should be known.
For now MD5/SHA is still hard coded.
|
|
* ia/ssl/recv-bug/OTP-10118:
ssl: Fix bug in the handling of remote connection closure of {active,false} ssl sockets.
|
|
A general case clause was put before a less general so that the less
general case would never match.
|
|
ssl sockets.
|
|
* ia/ssl/bottlenecks/OTP-10113:
ssl: Test case fixes
ssl: Avoid second bottleneck in supervisor
ssl: File handling optimization
ssl: Simpler PEM cache
ssl: Refactored for readability
ssl: Use md5 as file ref id instead of filenames
ssl: Move ets:select bottleneck in server
ssl: Renegotiate updates session id in gen_fsm state
ssl: Use ordered_set in cache
ssl: Move and avoid ets:select bottleneck in client
ssl: Reuse session check optimization
ssl: Avoid supervior bottleneck
|
|
Do proc_lib:spawn_link instead of proc_lib:start_link as synchronized
init is not used/needed anyway.
|
|
Avoid cach validation with file:file_info/2 as this i too expensive and
causes a bottleneck in the file server. Instead we expose a new API function
ssl:clear_pem_cache/0 to deal with the problem. As we think it will be
of occasional use and the normal case is that the cache will be valid we think
it is the right thing to do.
Convert file paths to binary representation in the ssl API module to
avoid uncessarry calls in file later on.
Also add sanity checks for openssl versions in testsuite due to new
openssl bugs.
|
|
|
|
Instance of state variable that are "updated" in a function is called
for example State0 and the last instance, that should be returned, is
called State possible intermidiat versions are suffixed by increasing
numbers. State0 may be rturned in error cases.
Avoid nesting case statments.
|
|
Aviods storing a lot of data
|
|
Only use ssl_manager for selecting new ids to guarantee uniqueness,
but reuse check does not need to be performed by the manager.
|
