aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src
AgeCommit message (Collapse)Author
2018-03-06ssl: Fix anonymous suites regression and protocol errorBram Verburg
Anonymous cipher suites were broken altogether, and there was an earlier issue where the server would send a signature in the server key exchange if a certificate was configured, even if an anonymous suite was actually negotiated. Backport of PR-1729
2018-03-05ssl: Correct AEAD handlingIngela Anderton Andin
Cipher suite handling improvments missed to make a few changes for AEAD to be handled correctly see ERL-568
2018-02-12Merge pull request #1709 from ↵Ingela Andin
dumbbell/dumbbell/ssl/fix-active-once-dropped-when-handling-alert/ERL-562 ssl: Fix alert handling so that unexpected messages are logged and alerted correctly
2018-02-09ssl: Add the unexpected message to #alert{}Jean-Sébastien Pédron
... in handle_common_event(), instead of passing it to handle_own_alert() after wrapping it in a tuple with `StateName` (i.e. `{StateName, Msg}`). The `StateName` is passed to handle_normal_shutdown() and to alert_user(). The latter has a clause matching it against `connection`. Unfortunately, when the argument was in fact `{StateName, Msg}`, another clause was executed which dropped the `active` flag value and forced it to `false`, even if the state was actually `connection`. It meant that later in send_or_reply(), the alert was not propagated to the user, even though it should (`active` set to `true` or `once`). Now that handle_common_event() always passes the actual `StateName`, the problem is fixed. ERL-562
2018-02-07ssl: Make sure anonymous suites are handled separatelyIngela Anderton Andin
Preferably customized cipher suites will be based on the default value. But all may be used as base and hence it will be good to handle anonymous suites separately as they are intended for testing purposes.
2018-02-05ssl: Uses aead as mac value in AEAD cipher suitesIngela Anderton Andin
Authenticated encryption (AE) and authenticated encryption with associated data (AEAD, variant of AE) is a form of encryption which simultaneously provides confidentiality, integrity, and authenticity assurances on the data. This is more logical value then null that was used, this happened to work as the AEAD property was derived form other data, but it is confusing!
2018-02-05ssl: Add new API functions for cipher suite handlingIngela Anderton Andin
2018-01-23ssl: Add record version sanity checkIngela Anderton Andin
2018-01-11ssl: Correct function for listing RC4 suitesIngela Anderton Andin
2018-01-07dtls: Filter out rc4 for DTLS psk suitesIngela Anderton Andin
Stream ciphers are not valid fro DTLS
2018-01-04ssl: Prevent error handling race conditionIngela Anderton Andin
ERL-539
2017-12-20dtls: Add handling of lost key exchange in cipher stateIngela Anderton Andin
2017-12-20ssl: Correct DTLS client close handlingIngela Anderton Andin
2017-12-20Merge branch 'ingela/dtls-cuddling' into maintIngela Anderton Andin
* ingela/dtls-cuddling: dtls: Correct UDP listener cleanup dtls: Correct return value in UDP listener initialization
2017-12-20Merge branch 'ingela/DTLS/retransmission-timers' into maintIngela Anderton Andin
* ingela/DTLS/retransmission-timers: dtls: Use repeat_state to make sure retransmission timer is reset
2017-12-19remove duplicate operation for decode certificateJxck
completely deprecated operation with no effect.
2017-12-18dtls: Use repeat_state to make sure retransmission timer is resetIngela Anderton Andin
2017-12-15dtls: Correct UDP listener cleanupIngela Anderton Andin
2017-12-15dtls: Correct return value in UDP listener initializationIngela Anderton Andin
2017-12-14ssl: Align (with DTLS) and correct TLS_FALLBACK_SCSV handlingIngela Anderton Andin
2017-12-08[ssl] Update runtime dependenciesLars Thorsen
2017-12-05Merge branch 'ingela/ssl/cipher-suites/OTP-14749' into maintIngela Anderton Andin
* ingela/ssl/cipher-suites/OTP-14749: ssl: Use maps for cipher suites internally
2017-12-05ssl: Use maps for cipher suites internallyIngela Anderton Andin
This is a preparation for improvements to come in option handling and support for TLS-1.3
2017-12-04Use SNI when connectingRaimo Niskanen
2017-12-04Use -ssl_dist_optfile optionsRaimo Niskanen
2017-12-04Read in -ssl_dist_optfile to ETSRaimo Niskanen
2017-12-04Stop checking DNS name for SNIRaimo Niskanen
2017-12-01Merge branch 'ingela/ssl/timing' into maintIngela Anderton Andin
* ingela/ssl/timing: ssl: Align timing just in case
2017-11-29Merge branch 'ingela/ssl/ERL-521/OTP-14794' into maintIngela Anderton Andin
* ingela/ssl/ERL-521/OTP-14794: ssl: Make sure all possible data is delivered
2017-11-28ssl: Align timing just in caseIngela Anderton Andin
2017-11-28ssl: Make sure all possible data is deliveredIngela Anderton Andin
2017-11-24ssl: Add gracefullness to dtls codeIngela Anderton Andin
Also make tls code a little more direct for easier uderstanding
2017-11-24ssl: Remove old softupgrade codeIngela Anderton Andin
This code is only relevant in version is was written in.
2017-11-24ssl: Use genstamtem properlyIngela Anderton Andin
2017-11-24ssl: Fix incorrect merge conflict resolutionIngela Anderton Andin
When handling merging of back ported Counter measurements for Bleichenbacher attack a line from DTLS was accidentally lost.
2017-11-23Merge branch 'maint-20' into maintIngela Anderton Andin
* maint-20: Updated OTP version Update release notes Update version numbers public_key: verify ip (both v4 and v6) public_key: Added IP4 address checks to hostname_verification tests ssl: Fix test cases to work on all test platforms public_key: Fix dialyzer spec ssl: Sessions must be registered with SNI if exists ssl: Extend hostname check to fallback to checking IP-address public_key, ssl: Handles keys so that APIs are preserved correctly ssl: Use ?FUNCTION_NAME ssl: Prepare for release ssl: Countermeasurements for Bleichenbacher attack Conflicts: lib/public_key/doc/src/public_key.xml lib/public_key/test/public_key_SUITE.erl lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf lib/ssl/src/dtls_connection.erl lib/ssl/src/ssl_connection.erl lib/ssl/src/ssl_handshake.erl
2017-11-22Merge branch ↵Erlang/OTP
'ingela/maint-20/ssl/extend-hostname-check/OTP-14632/OTP-14655/OTP-14766' into maint-20 * ingela/maint-20/ssl/extend-hostname-check/OTP-14632/OTP-14655/OTP-14766: ssl: Fix test cases to work on all test platforms public_key: Fix dialyzer spec ssl: Sessions must be registered with SNI if exists ssl: Extend hostname check to fallback to checking IP-address public_key, ssl: Handles keys so that APIs are preserved correctly ssl: Use ?FUNCTION_NAME
2017-11-16ssl: Align code of TLS/DTLS handshake handlingIngela Anderton Andin
2017-11-16ssl: Align code of TLS/DTLS record handlingIngela Anderton Andin
2017-11-16ssl: Align code of main modules implementing the gen_statem behaviourIngela Anderton Andin
2017-11-16dtls: Add state specIngela Anderton Andin
2017-11-09ssl: Sessions must be registered with SNI if existsIngela Anderton Andin
2017-11-09ssl: Extend hostname check to fallback to checking IP-addressIngela Anderton Andin
If no SNI is available and the hostname is an IP-address also check for IP-address match. This check is not as good as a DNS hostname check and certificates using IP-address are not recommended.
2017-11-09 ssl: Use ?FUNCTION_NAMEIngela Anderton Andin
Use ?FUNCTION_NAME macro to enhance code as we will not back-port this version of the ssl application to versions pre OTP 19.
2017-11-09ssl: Countermeasurements for Bleichenbacher attackIngela Anderton Andin
2017-11-08ssl: Add private key configuration for crypto engineIngela Anderton Andin
2017-10-20ssl: Do not provide IP address to ssl:connect in erlang distribution over TLSIngela Anderton Andin
As TLS clients will perform a hostname check against certificates the IP-address does not make much sense.
2017-10-18Merge branch 'ingela/dtls/no-packet-upd/OTP-14664' into maintIngela Anderton Andin
* ingela/dtls/no-packet-upd/OTP-14664: ssl: No support for packet option over unreliable transport
2017-10-17Merge branch 'ingela/ssl/extend-hostname-check/OTP-14632/OTP-14655' into maintIngela Anderton Andin
* ingela/ssl/extend-hostname-check/OTP-14632/OTP-14655: ssl: Fix test cases to work on all test platforms public_key: Fix dialyzer spec ssl: Sessions must be registered with SNI if exists ssl: Extend hostname check to fallback to checking IP-address public_key, ssl: Handles keys so that APIs are preserved correctly
2017-10-17ssl: No support for packet option over unreliable transportIngela Anderton Andin