| Age | Commit message (Collapse) | Author |
|---|
|
Added session status "new" to mark sessions that are
in the session database to reserve the session id
but not resumable yet and that we want to separate from
sessions that has been invalidated for further reuse.
|
|
The time_stamp filed is now initated in the connection process
init function, so that invalidations of sessions due to handshake failiures,
will not cause sessions in the session table to have
an uninitiated time_stamp field.
|
|
* ia/ssl/prepare-for-relese:
Prepare version and appup for release
|
|
* ia/public_key/ssl/crypto/PKCS-8/OTP-9312:
Add clause for expected input to pubkey:pseudo_random_function/2 when ASN-1 compiler is fixed.
Clean up of public_key code adding specs and documentation
Added PKCS-8 support in ssl
Additions to crypto and public_key needed for full PKCS-8 support
Add PKCS-8 support to public_key
|
|
|
|
|
|
A wrong decryption key would cause a badmatch in
generic_block_cipher_from_bin/2. The try in block_decipher/5 was
probably intendend to deal with that, but was misplace for this.
Additionaly, generating a failure alert erly, without computing the
record MAC, creates vector for a timing attack on CBC padding (for
details check TLS 1.2 RFC 5246, Sect. 6.2.3.2.). This attach vector
and the counter meassure applies to all SSL/TLS versions.
As a counter messure, compute the MAC even when decryption or padding
checks fail. A invalid padding will force a MAC failure by intentionaly
invalidating the content.
|
|
I accidentally removed a little too much, only peercert/2 was deprecated.
|
|
* ia/ssl/remove-old-ssl/OTP-7048:
Remove old ssl implementation and deprecated function ssl:peercert/1
Conflicts:
lib/ssl/test/Makefile
|
|
* ia/ssl/dist-more-tests:
Better option handling
Improve code structure
Remove ssl_prim calls that are remains from the old ssl distribution
Add payload test
|
|
Also cleaned up old gaurds.
|
|
|
|
|
|
* dev:
Update copyright years
|
|
|
|
* upstream/dev:
Both the SSLv3 and TLS 1.0/TLS 1.1 specifications require implementations to ignore data following the ClientHello (i.e., extensions) if they do not understand them.
fix unknown ssl extension parsing by changing length from bits to bytes
Temporary disable tests on MAC due to issus with the MAC ODBC drivers
|
|
implementations to ignore data following the ClientHello (i.e.,
extensions) if they do not understand them.
Data not following the protocol format for extensions will be
ignored by the last dec_hello_extensions-clause.
OTP-8596
|
|
|
|
Conflicts:
erts/aclocal.m4
erts/include/internal/ethread_header_config.h.in
|
|
* ta/docs-fixes:
Fix misspelling of intermediate
Fix typos in erts/preloaded/src
Fix more misspellings of compatibility
Fix misspelling of kept
Fix misspelling of compatibility in ssl_basic_SUITE
Fix misspelling of compatibility
Fix misspelling of accommodate
Fix misspelling of exceed
Fix misspelling of accidentally
Fix misspelling of erroneous in xmerl_xsd
Fix misspelling of erroneous
Fix misspelling of successful
Fix typos in instrument(3)
Fix typos in dbg(3)
dialyzer: fix a small typo in list_to_bitstring test
Fix typos in cover.erl
Fix typos (variable name) in erl_nif(3)
Fix typos in mod_esi(3)
Fix trivial typos in erlang(3)
OTP-9555
|
|
|
|
* upstream/dev:
Support explicit use of packet option httph and httph_bin
|
|
|
|
|
|
* ia/ssl/dist/OTP-7053:
First fully working version
Use ssl instead of being a proxy command
Connect from both sides works now
|
|
|
|
|
|
|
|
|
|
* ia/ssl/use-inet-and-gen-specs:
Use inet and gen_* dialyzer specs
|
|
|
|
|
|
|
|
We want the certificate table to be handled the same way as the
session table and not have a global name, so that we may easier
create a separate ssl-manager to handle erlang distribution over ssl.
|
|
* ia/ssl/use-erlang-send-after-instead-of-timer-send-after:
Use erlang:send_after instead of timer:send_after
Conflicts:
lib/ssl/test/ssl_session_cache_SUITE.erl
|
|
Also save latest delay cleanup timer ref so that we can
use erlang:read_timer to write a more reliable
test case.
|
|
|
|
|
|
|
|
In ssl-4.1.5 temporary clean-up processes would crash resulting in
that the session table would not be cleaned up (e.i. using more and
more memory) and error reports would be printed, but connections would
not be affected.
|
|
|
|
that a session not be resumed. This is a change from TLS 1.0 to
conform with widespread implementation practice. Erlang ssl will now
in TLS 1.0 conform to the widespread implementation practice instead
of the specification to avoid performance issues.
|
|
Filipe David Manana
OTP-9114: [ftp] Added (type) spec for all exported functions.
OTP-9123: mod_esi:deliver/2 made to accept binary data.
Bernard Duggan
OTP-9124: [httpd] Prevent XSS in error pages.
Michael Santos
OTP-9131: [httpd] Wrong security property names used in documentation.
Garrett Smith
OTP-9157: [httpd] Improved error messages.
Ricardo Catalinas Jim�nez
OTP-9158: [httpd] Fix timeout message generated by mod_esi.
Bernard Duggan
OTP-9202: [httpd] Extended support for file descriptors.
Attila Rajmund Nohl
OTP-9230: The default ssl kind has now been changed to essl.
OTP-9246: [httpc] httpc manager crash because of a handler retry
race condition.
Merge branch 'bmk/inets/inet56_integration' into dev
|
|
Invalidation of a session for reusing should first flag that the
session may no longer be reused and then later when all possible
pending reuses have been handled delete the session from the
database. This could otherwise cause the client to terminate due to
{badarg,[{erlang,byte_size,[undefined]}, and the server to terminate due to
{{badmatch,{resumed,undefined}}.
|
|
reason badarg. Neither SSL nor INETS catches this, resulting in crashes
with incomprehensible reasons.
OTP-9289
|
|
reason badarg. Neither SSL nor INETS catches this, resulting in crashes
with incomprehensible reasons.
OTP-9289
|
|
|
|
|
|
ssl:send/2 takes iodata() as a second
argument. erlang:iolist_to_binary should really be called
erlang:iodata_to_binary which caused the mismatch in the first place.
|
|
|
