aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src
AgeCommit message (Collapse)Author
2017-10-13Merge branch 'maint'Ingela Anderton Andin
2017-10-13ssl: Sessions must be registered with SNI if existsIngela Anderton Andin
2017-10-13ssl: Extend hostname check to fallback to checking IP-addressIngela Anderton Andin
If no SNI is available and the hostname is an IP-address also check for IP-address match. This check is not as good as a DNS hostname check and certificates using IP-address are not recommended.
2017-10-05ssl: Use new string functionsIngela Anderton Andin
The functions are not performance critical. Will be used when errors occurs, CRL data base is managed or legacy OpenSSL names are used for ciphers.
2017-10-02Merge branch 'maint'Ingela Anderton Andin
2017-09-30dtls: Compleate DTLS renegotiate implementationIngela Anderton Andin
2017-09-29Merge branch 'raimo/ssl-dist-skip-loopback/OTP-14465'Raimo Niskanen
* raimo/ssl-dist-skip-loopback/OTP-14465: Update runtime dependencies Disable debug function Pass all info's to the ssl_connection state function Remove ssl_tls_dist_ctrl module Remove ssl_tls_dist_ctrl process Remove ssl_tls_dist_proxy Avoid dialyzer warning Separate in and out in dist ctrl Rewrite dist ctrl from port to process Conflicts: lib/ssl/src/ssl.app.src
2017-09-29Update runtime dependenciesRaimo Niskanen
2017-09-28Disable debug functionRaimo Niskanen
2017-09-27Pass all info's to the ssl_connection state functionRaimo Niskanen
2017-09-27Remove ssl_tls_dist_ctrl moduleRaimo Niskanen
2017-09-26Remove ssl_tls_dist_ctrl processRaimo Niskanen
2017-09-20Merge branch 'maint'Ingela Anderton Andin
2017-09-20public_key, ssl: Prepare for releaseIngela Anderton Andin
OTP-14236 requires ssl runtime dependencies to update to latest public_key. OTP-14181 makes ssl test cases dependent on latest version latest public_key.
2017-09-15Remove ssl_tls_dist_proxyRaimo Niskanen
2017-09-15Avoid dialyzer warningRaimo Niskanen
2017-09-15Separate in and out in dist ctrlRaimo Niskanen
2017-09-15Rewrite dist ctrl from port to processRaimo Niskanen
2017-09-13Merge branch 'maint'Ingela Anderton Andin
2017-09-11ssl: Do not break abstractionIngela Anderton Andin
ssl_pkix_db should not hard code names. On the other hand the names are nicer with as <Prefix>_dist than <Prefix>dist.
2017-09-04Merge branch 'maint'Ingela Anderton Andin
2017-09-04Merge branch 'ingela/ssl/session-cache-max/OTP-14556' into maintIngela Anderton Andin
* ingela/ssl/session-cache-max/OTP-14556: ssl: Mend Max session handling
2017-09-04ssl: Mend Max session handlingIngela Anderton Andin
The commit 256e01ce80b3aadd63f303b9bda5722ad313220f was a misunderstanding that actually broke the implementation. It is not so important to keep specific max, rather max is a threshold when the table should be shrinked as to not grow indefinitely. New sessions are created when the id is created and may be short lived it they are not registered for reuse due to handshake failure.
2017-09-04Merge branch 'maint'Ingela Anderton Andin
2017-09-01ssl: Add the role (server or client) to the alert messageIngela Anderton Andin
It is desirable to be as specific as possible in the info message, so there can be no mistake if the alert is form the peer or generated by us. This use to be an error message, but it is better to make it an info message as sending an ALERT ending the connection is an expected behaviour.
2017-08-24Merge branch 'maint'Ingela Anderton Andin
2017-08-24Merge branch 'ingela/ssl/dtls-alert-handling/OTP-14078' into maintIngela Anderton Andin
* ingela/ssl/dtls-alert-handling/OTP-14078: dtls: Customize alert handling for DTLS over UDP
2017-08-24Merge branch 'maint'Ingela Anderton Andin
2017-08-24ssl: DTLS packet supportIngela Anderton Andin
Test that DTLS handles "high" level packet types as http-packet types. Low level packet type as {packet, 2} we will consider later if they should be relevant to support or not.
2017-08-23ssl: Adjust ALPN and next protocol to work with DTLSIngela Anderton Andin
2017-08-23ssl: negotiated_hashsign/4 expects TLS version to function correctlyIngela Anderton Andin
Only DTLS specific code deals with DTLS version, when common code is used the DTLS version should be converted to the corresponding TLS version.
2017-08-22Merge pull request #1518 from RoadRunnr/R20/ssl_anon_certsIngela Andin
RFC: ecdhe_psk cipher suites OTP-14547
2017-08-14dtls: Customize alert handling for DTLS over UDPIngela Anderton Andin
From RFC 6347: 4.1.2.7. Handling Invalid Records Unlike TLS, DTLS is resilient in the face of invalid records (e.g., invalid formatting, length, MAC, etc.). In general, invalid records SHOULD be silently discarded, thus preserving the association; however, an error MAY be logged for diagnostic purposes. Implementations which choose to generate an alert instead, MUST generate fatal level alerts to avoid attacks where the attacker repeatedly probes the implementation to see how it responds to various types of error. Note that if DTLS is run over UDP, then any implementation which does this will be extremely susceptible to denial-of-service (DoS) attacks because UDP forgery is so easy. Thus, this practice is NOT RECOMMENDED for such transports.
2017-08-11Merge branch 'maint'Ingela Anderton Andin
2017-08-11Merge branch 'ingela/ssl/cert-handling' into maintIngela Anderton Andin
* ingela/ssl/cert-handling: ssl: Correct cipher suite handling ssl: Modernize DSA cert chain generation ssl: Clean ssl: Remove test of OpenSSL ssl: Use new cert generation
2017-08-10Merge branch 'maint'Björn Gustavsson
* maint: sys_core_fold: Fix unsafe optimization of non-variable apply Correct type specification in ssl:prf/5
2017-08-10Merge pull request #1507 from vances/issue-erl-442Ingela Andin
Correct type specification in ssl:prf/5
2017-08-10ssl: Correct cipher suite handlingIngela Anderton Andin
This is mainly fixing the test suites so that they test the intended cipher suites, issue reported in ERL-460. Also ssl_cipher:anonymous_suites was corrected for DTLS.
2017-07-28Merge pull request #1519 from erszcz/fix-typo-listner-to-listenerRaimo Niskanen
Fix a proliferated typo in ssl
2017-07-24Fix a proliferated typoRadek Szymczyszyn
2017-07-23add draft-mattsson-tls-ecdhe-psk-aead ECDHE-PSK with GCM ciphersAndreas Schultz
Add the GCM ciphers from draft-mattsson-tls-ecdhe-psk-aead and the specification for the CCM cipher (but leave them commented out as we don't support CCM yet).
2017-07-21ssl: add ECDHE_PSK cipher suitesAndreas Schultz
2017-07-21ssl: don't sent client certificate with anon ciphersAndreas Schultz
whatever the SSL options say, when we negotiated a anonymous, PSK or SRP cipher suites, client certificates and certificate requests are not permitted.
2017-07-10Correct type specification in ssl:prf/5Vance Shipley
Current implementation expects Seed to be a list. Correct type specification to match.
2017-07-07ssl: Try to make asn1 decode errors of certificates as specific as possibleIngela Anderton Andin
2017-07-07ssl,public_key: Provide details for CRL check failiures when revokation ↵Ingela Anderton Andin
state can not be determined
2017-07-07ssl: Enhance error loggingIngela Anderton Andin
2017-06-19Update copyright yearHans Nilsson
2017-06-14Merge remote-tracking branch 'ingela/ingela/dtls/client-hello-verify/ERL-434'Hans Nilsson
2017-06-13dtls: Make HelloVerifyRequest version adhere to RFCIngela Anderton Andin
ERL-434 RFC6347 says about hello_verify_request version field as follow https://tools.ietf.org/html/rfc6347#page-16 The server_version field has the same syntax as in TLS. However, in order to avoid the requirement to do version negotiation in the initial handshake, DTLS 1.2 server implementations SHOULD use DTLS version 1.0 regardless of the version of TLS that is expected to be negotiated. But current DTLS server responses DTLS1.2 instead of DTLS1.0.
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-09 08:37:11 +0000