Age | Commit message (Collapse) | Author |
|
|
|
|
|
Check that the certificate chain ends with a trusted ROOT CA e.i. a
self-signed certificate, but provide an option partial_chain to
enable the application to define an intermediat CA as trusted.
TLS RFC says:
"unknown_ca
A valid certificate chain or partial chain was received, but the
certificate was not accepted because the CA certificate could not
be located or couldn't be matched with a known, trusted CA. This
message is always fatal."
and also states:
"certificate_list
This is a sequence (chain) of certificates. The sender's
certificate MUST come first in the list. Each following
certificate MUST directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate that specifies the root
certificate authority MAY be omitted from the chain, under the
assumption that the remote end must already possess it in order to
validate it in any case."
X509 RFC says:
"The selection of a trust anchor is a matter of policy: it could be
the top CA in a hierarchical PKI, the CA that issued the verifier's
own certificate(s), or any other CA in a network PKI. The path
validation procedure is the same regardless of the choice of trust
anchor. In addition, different applications may rely on different
trust anchors, or may accept paths that begin with any of a set of
trust anchors."
|
|
|
|
|
|
|
|
|
|
|
|
When dealing with older certificates that does not indicate its signer
with a certificate extension, we must search the database for the issure.
Finding the issuer is not enough, we need to verify the signature
with the key in the found issuer cert.
|
|
FROM TLS 1.2 RFC:
The interaction of the certificate_types and
supported_signature_algorithms fields is somewhat complicated.
certificate_types has been present in TLS since SSLv3, but was
somewhat underspecified. Much of its functionality is superseded by
supported_signature_algorithms. The following rules apply:
- Any certificates provided by the client MUST be signed using a
hash/signature algorithm pair found in
supported_signature_algorithms.
- The end-entity certificate provided by the client MUST contain a
key that is compatible with certificate_types. If the key is a
signature key, it MUST be usable with some hash/signature
algorithm pair in supported_signature_algorithms.
- For historical reasons, the names of some client certificate types
include the algorithm used to sign the certificate. For example,
in earlier versions of TLS, rsa_fixed_dh meant a certificate
signed with RSA and containing a static DH key. In TLS 1.2, this
functionality has been obsoleted by the
supported_signature_algorithms, and the certificate type no longer
restricts the algorithm used to sign the certificate. For
example, if the server sends dss_fixed_dh certificate type and
{{sha1, dsa}, {sha1, rsa}} signature types, the client MAY reply
with a certificate containing a static DH key, signed with RSA-
SHA1.
|
|
* dnet/parse_sni:
added SNI decode test to SSL handshake suite
ssl: parse SNI in received client hello records
OTP-12048
|
|
This reverts commit fcc6a756277c8f041aae1b2aa431e43f9285c368.
|
|
|
|
* ia/ssl/CSS/OTP-11975:
ssl: Make sure change cipher spec is correctly handled
|
|
* ia/ssl/version-argument:
ssl: Version argument to ssl_cipher:anonymous_suites should not be added yet!
|
|
|
|
* qrilka/ssl-seconds-in-24h:
ssl: Fix incorrect number of seconds in 24 hours
|
|
|
|
* ia/ssl/dumb-clients/OTP-11969:
ssl: Avoid creating a huge session table
|
|
* ia/ssl/default-ciphers/OTP-11966:
ssl: Workaround that gen_fsm does not call CB:format_status when CB:terminate crashes.
SSL: always filter the full list of supported ciphers against the supported algorithms
ssl: Filter default ciphers for supported Crypto algorihms
|
|
crashes.
|
|
algorithms
With the addition of more ciphers that are not supported in all
configurations, using a manually prefiltered cipher list (e.g. EC vs.
non-EC ciphers) becomes to complex. Replace the manual split with
ssl_cipher:filter_suites/1 in all places.
Conflicts:
lib/ssl/src/ssl.erl
lib/ssl/src/tls_v1.erl
|
|
|
|
24 hours in seconds should be equal to 86400 and 86400000 in milliseconds
|
|
|
|
|
|
|
|
|
|
|
|
* dz/fix_ssl_max_seq_num:
ssl: fix max sequence number so it does not overflow
|
|
|
|
|
|
* ia/ssl/inherit/OTP-11897:
ssl: Handle socket option inheritance when pooling of accept sockets is used
|
|
The old value of 18446744073709552000 was calculated using math:pow
which returns float therefore isn't precise. And it would overflow:
erlang:integer_to_list(18446744073709552000, 16) = "10000000000000180"
This patch changes MAX_SEQENCE_NUMBER to value calculated with bitwise
shift:
(1 bsl 64) - 1 = 18446744073709551615
|
|
* ia/ssl/false-alerts/OTP-11890:
ssl: Add checks to avoid processing of illegal alerts
|
|
Implement a listen socket tracker process that holds the emulated socket
options so that it is possible to implement a destructive ssl:setopts
on SSL/TLS listen sockets without changing the options of the internal
socket as we want that socket to have the internal socket option values.
|
|
|
|
|
|
If a client sends some garbage in ssl record instead of
valid fragment, server crashes with function_clause while
receiving next record from client.
This patch makes server raise handshake failure instead of
crashing and exposing internal state to user code.
|
|
Also fix DTLS call to supply its corresponding TLS version
|
|
Negotiated version is now always passed to ssl_handshake:select_hashsign
because ssl_handshake:select_cert_hashsign has different rsa defaults on
tlsv1.2 and older versions.
|
|
|
|
* ia/ssl/decrypt-alert/OTP-11880:
ssl: Correct decryption error handling
|
|
* ia/ssl/recv/OTP-11878:
ssl: recv shall ruturn {error, einval} on active socket
|
|
* ia/ssl/suites-match-negotiated-version/OTP-11875:
ssl: Select supported cipher suites for the negotiated SSL/TLS-version
|
|
|
|
|
|
Generalize last warning alert function clause
|
|
When selecting the available cipher suites for the server all cipher suites
for the highest supported SSL/TLS-version would be selected, and not
all supported for the negotiated SSL/TLS-version. This could lead
to that faulty clients could negotiate cipher suites that they
can not support. This change will enable the faulty client to negotiate
another cipher suite that it can support.
|
|
|