aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src
AgeCommit message (Collapse)Author
2011-05-24Corrected last argument to timer:apply_after also corrected a dilyzer specIngela Anderton Andin
2011-05-17In TLS 1.1, failure to properly close a connection no longer requiresIngela Anderton Andin
that a session not be resumed. This is a change from TLS 1.0 to conform with widespread implementation practice. Erlang ssl will now in TLS 1.0 conform to the widespread implementation practice instead of the specification to avoid performance issues.
2011-05-16OTP-9094: [httpc] Add support for upload body streaming (PUT and POST).Micael Karlberg
Filipe David Manana OTP-9114: [ftp] Added (type) spec for all exported functions. OTP-9123: mod_esi:deliver/2 made to accept binary data. Bernard Duggan OTP-9124: [httpd] Prevent XSS in error pages. Michael Santos OTP-9131: [httpd] Wrong security property names used in documentation. Garrett Smith OTP-9157: [httpd] Improved error messages. Ricardo Catalinas Jim�nez OTP-9158: [httpd] Fix timeout message generated by mod_esi. Bernard Duggan OTP-9202: [httpd] Extended support for file descriptors. Attila Rajmund Nohl OTP-9230: The default ssl kind has now been changed to essl. OTP-9246: [httpc] httpc manager crash because of a handler retry race condition. Merge branch 'bmk/inets/inet56_integration' into dev
2011-05-13Ssl sometimes fails when reusing a sessionIngela Anderton Andin
Invalidation of a session for reusing should first flag that the session may no longer be reused and then later when all possible pending reuses have been handled delete the session from the database. This could otherwise cause the client to terminate due to {badarg,[{erlang,byte_size,[undefined]}, and the server to terminate due to {{badmatch,{resumed,undefined}}.
2011-05-12Calling gen_tcp:connect with option {ip, {127,0,0,1}} results in an exit withMicael Karlberg
reason badarg. Neither SSL nor INETS catches this, resulting in crashes with incomprehensible reasons. OTP-9289
2011-05-12Calling gen_tcp:connect with option {ip, {127,0,0,1}} results in an exit withMicael Karlberg
reason badarg. Neither SSL nor INETS catches this, resulting in crashes with incomprehensible reasons. OTP-9289
2011-05-05Spec correctionsIngela Anderton Andin
2011-05-04Dialyzer spec fixIngela Anderton Andin
2011-04-29Changed iolist() to iodata()Ingela Anderton Andin
ssl:send/2 takes iodata() as a second argument. erlang:iolist_to_binary should really be called erlang:iodata_to_binary which caused the mismatch in the first place.
2011-04-15Prepare for releaseIngela Anderton Andin
2011-03-24Merge branch 'ia/public_key/encode-decode-ssh/OTP-9144' into devIngela Anderton Andin
* ia/public_key/encode-decode-ssh/OTP-9144: Implemented encode/decode support for ssh public key files
2011-03-24Implemented encode/decode support for ssh public key filesIngela Anderton Andin
2011-03-11Update copyright yearsBjörn-Egil Dahlberg
2011-03-08Merge branch 'ia/ssl/prepare-release' into devIngela Anderton Andin
* ia/ssl/prepare-release: Prepare for release
2011-03-07Prepare for releaseIngela Anderton Andin
2011-03-07Add the option { hibernate_after, int() } to ssl:connect and ssl:listenJeroen Koops
When making an SSL connection (either as client or as server), the process implementing the connection may use as much as hundreds of kilobytes of memory, even when idle. This is problematic for any application maintaining more than just a few SSL connections. This patch introduces the option { hibernate_after, int() } to the ssl:connect and ssl:listen functions, making the SSL connection process go into hibernation after the specified number of milliseconds of inactivity. This will reduce the memory used by the process to just a few hundred bytes, making applications with thousands or more SSL connections feasible, as long as most of the connections are idle for most of the time (which is typically the case). The approach of making the process go into hibernation only after some time of inactivity was chosen because hibernation incurs some CPU usage, and it is therefore not desirable for a process to hibernate after each call.
2011-02-22Dialyzer does not like old fun syntaxIngela Anderton Andin
2011-02-22Corrected dialyzer specsIngela Anderton Andin
2011-02-22Modernized some dialyzer specsIngela Anderton Andin
2011-02-11Added missing return value in dialyzer specs (ssl.erl)Ingela Anderton Andin
Suppressed dialyzer warnings with spec if possible to minimize clutter from this file belonging to old ssl.
2011-01-20Merge branch 'maint-r14' into devIngela Anderton Andin
2011-01-17Merge branch 'ia/ssl/unknown-extension-handling-verify-none/OTP-9029' into ↵Erlang/OTP
maint-r14 * ia/ssl/unknown-extension-handling-verify-none/OTP-9029: Prepare for release Verification of a critical extended_key_usage-extension corrected
2011-01-17Prepare for releaseIngela Anderton Andin
2011-01-17Verification of a critical extended_key_usage-extension correctedIngela Anderton Andin
When a verify fun is supplied, it should not be called to verify the extended_key_usage-extension when it is already verified by the ssl_certificate:validate_extension/2
2011-01-13Reduce memory footprintIngela Anderton Andin
Handshake hashes, premaster secret and "public_key_info" does not need to be saved when the connection has been established. The own certificate is no longer duplicated in the state.
2011-01-10Fixed Dialyzer specsIngela Anderton Andin
------------------------------------------------------------------------- ssl's published documentation states: ssl_accept(ListenSocket) -> ssl_accept(ListenSocket, Timeout) -> ok | {error, Reason} (see http://www.erlang.org/doc/man/ssl.html#ssl_accept-1) while its code has the specs: -spec ssl_accept(#sslsocket{}) -> {ok, #sslsocket{}} | {error, reason()}. -spec ssl_accept(#sslsocket{}, list() | timeout()) -> {ok, #sslsocket{}} | {error, reason()}. One of the two cannot be right. This should be fixed. Moreover, I do not see why the spec just mentions list() for the options when the documentation explicitly mentions the options of ssl. Kostis ---------------------------------------------------------------------
2011-01-10Corrected handling of data from an ets select.Ingela Anderton Andin
The previous code happened to worked if the select-statment returned only on entry.
2010-12-20Merge branch 'maint-r14' into devIngela Anderton Andin
2010-12-17Cleaned up meaningless code discovered thanks to coverIngela Anderton Andin
2010-12-16Prepare for releaseIngela Anderton Andin
2010-12-16Cache invalidation and consistent user closingIngela Anderton Andin
Added cache invalidation control of ssl certificates so that sessions will not be reused if file content is changed. There was a glitch in ssl:close that made it possible to to get eaddrinuse even though reuseadder-option was used. Also improved tests for better user-close handling.
2010-12-16Cache invaldation first version does not break old test casesIngela Anderton Andin
2010-12-02Prepare for releaseIngela Anderton Andin
2010-11-30Fixed guard and test caseIngela Anderton Andin
Data to sign and verify should be inputed as binaries. Also cleaned up and moved some dialyzer specs.
2010-11-18Added alert in stream cipher case.Ingela Anderton Andin
Also changed alert to BAD_RECORD_MAC as: "differentiating between bad_record_mac and decryption_failed alerts may permit certain attacks against CBC mode as used in TLS [CBCATT]. It is preferable to uniformly use the bad_record_mac alert to hide the specific type of the error." Also cleaned up the code and changed a few other alert reasons in according to alert descriptions in the TLS RFC 4346. And added function terminate_alert/3 so that we can differentiate between a crash in ssl (a bug in our code) and a crash in the application using ssl.
2010-11-10Added "DECRYPTION_FAILED ALERT" for block decipher failure.Ingela Anderton Andin
Also fixed incorrect dialyzer spec.
2010-10-21Merge branch 'ia/ssl/certificate-verify/wrong-key-method/OTP-8897' into devBjörn Gustavsson
* ia/ssl/certificate-verify/wrong-key-method/OTP-8897: Correct handling of client certificate verify message Conflicts: lib/ssl/src/ssl_handshake.erl
2010-10-20Correct handling of client certificate verify messageIngela Anderton Andin
When checking the client certificate verify message the server used the wrong algorithm identifier to determine the signing algorithm, causing a function clause error in the public_key application when the key-exchange algorithm and the public key algorithm of the client certificate happen to differ.
2010-10-07Anonymous cipher suitesIngela Anderton Andin
For testing purposes ssl now also support some anonymous cipher suites when explicitly configured to do so. Also moved session cache tests to its own suite, so that timeout of end_per_testcase when the mnesia is used as session cache will not affect other test cases.
2010-10-01Merge branch 'maint-r14' into devIngela Anderton Andin
Conflicts: lib/public_key/src/pubkey_cert.erl
2010-09-29Merge branch 'ia/ssl-and-public_key/verify_fun_peer_awarness/OTP-8873' into ↵Erlang/OTP
maint-r14 * ia/ssl-and-public_key/verify_fun_peer_awarness/OTP-8873: Peer awarness
2010-09-29Peer awarnessIngela Anderton Andin
Changed the verify fun so that it differentiate between the peer certificate and CA certificates by using valid_peer or valid as the second argument to the verify fun. It may not always be trivial or even possible to know when the peer certificate is reached otherwise.
2010-09-27Merge branch 'ia/ssl-and-public_key/backwards-compatibility/OTP-8858' into devIngela Anderton Andin
* ia/ssl-and-public_key/backwards-compatibility/OTP-8858: Backwards compatibility Conflicts: lib/ssl/src/ssl_certificate_db.erl Use short INFO-message. Debugging information can be fairly easily recreated so we do not want to clutter the logs.
2010-09-24Backwards compatibilityIngela Anderton Andin
Changed implementation to retain backwards compatibility for old option {verify, 0} that shall be equivalent to {verify, verify_none}, also separate the cases unknown CA and selfsigned peer cert, and restored return value of deprecated function public_key:pem_to_der/1.
2010-09-21Handling of DSA key parametersIngela Anderton Andin
DSS-Params may be null in a certificate as it can inherit the parameters. Also ignore CA-certs that do not follow ASN-1 spec in RFC 5280.
2010-09-15Corrected and added dialyzer specsIngela Anderton Andin
2010-09-10Improved certificate extension handlingIngela Anderton Andin
Added the functionality so that the verification fun will be called when a certificate is considered valid by the path validation to allow access to eachs certificate in the path to the user application. Removed clause that only check that a extension is not critical, it does alter the verification rusult only withholds information from the application. Try to verify subject-AltName, if unable to verify it let application try.
2010-09-07Add missed DER dh option.Ingela Anderton Andin
2010-09-06Handling of path validation errors by the applicationIngela Anderton Andin
Changed the behavior of the verify_fun option so that the application can be responsible for handling path validation errors even on the server side. Also replaced the not yet documented validate_extensions_fun to be handled by the verify_fun instead. If the verify callback fun returns {fail, Reason}, the verification process is immediately stopped and an alert is sent to the peer and the TLS/SSL handshake is terminated. If the verify callback fun returns {valid, UserState}, the verification process is continued. If the verify callback fun always returns {valid, UserState}, the TLS/SSL handshake will not be terminated with respect to verification failures and the connection will be established. The verify callback fun will also be able to verify application specific extensions.
2010-09-03DER format in APIIngela Anderton Andin
Added support for inputing certificates and keys directly in DER format these options will override the pem-file options if specified.