| Age | Commit message (Collapse) | Author |
|---|
|
* ia/ssl/decrypt-alert/OTP-11880:
ssl: Correct decryption error handling
|
|
* ia/ssl/recv/OTP-11878:
ssl: recv shall ruturn {error, einval} on active socket
|
|
* ia/ssl/suites-match-negotiated-version/OTP-11875:
ssl: Select supported cipher suites for the negotiated SSL/TLS-version
|
|
|
|
|
|
Generalize last warning alert function clause
|
|
When selecting the available cipher suites for the server all cipher suites
for the highest supported SSL/TLS-version would be selected, and not
all supported for the negotiated SSL/TLS-version. This could lead
to that faulty clients could negotiate cipher suites that they
can not support. This change will enable the faulty client to negotiate
another cipher suite that it can support.
|
|
|
|
* ia/ssl/continue-dtls-and-specs:
ssl: Avoid dialyzer warnings in dtls code
ssl: Improve type specs
ssl: Refactor and start implementing dtls_connection.erl
|
|
Even if DTLS is not finished, e.i. not runnable yet we
want to phase in the code together with refactoring of TLS code,
but without introducing warnings in the release.
|
|
Conflicts:
lib/ssl/src/dtls_record.erl
|
|
|
|
unexpected alerts.
Add recognitions of RFC 4366 alerts and handle possible
unimplementd alerts in a gracefully way.
|
|
Most dependencies introduced are exactly the dependencies to other
applications found by xref. That is, there might be real dependencies
missing. There might also be pure debug dependencies listed that
probably should be removed. Each application has to be manually
inspected in order to ensure that all real dependencies are listed.
All dependencies introduced are to application versions used in
OTP 17.0. This since the previously used version scheme wasn't
designed for this, and in order to minimize the work of introducing
the dependencies.
|
|
crashing.
When TLS client sends Supported Elliptic Curves Client Hello Extension
the server shall select a curve supported by both sides or refuse to
negotiate the use of an ECC cipher suite.
|
|
|
|
Avoid puzzling behavior due to options being disregarded if they
are not key value tuples.
|
|
|
|
|
|
* ia/ssl/prepare-for-release:
ssl: Prepare for release
|
|
|
|
* fenollp/otp-edoc-usage-fixes:
Fix edoc usage errors
OTP-11702
|
|
* hb/dialyzer/deprecate_types/OTP-10342:
Deprecate pre-defined built-in types
|
|
The types array(), dict(), digraph(), gb_set(), gb_tree(), queue(),
set(), and tid() have been deprecated. They will be removed in OTP 18.0.
Instead the types array:array(), dict:dict(), digraph:graph(),
gb_set:set(), gb_tree:tree(), queue:queue(), sets:set(), and ets:tid()
can be used. (Note: it has always been necessary to use ets:tid().)
It is allowed in OTP 17.0 to locally re-define the types array(), dict(),
and so on.
New types array:array/1, dict:dict/2, gb_sets:set/1, gb_trees:tree/2,
queue:queue/1, and sets:set/1 have been added.
|
|
in pure DER format.
The incorrect code could cause a memory leek when certs where inputed
in DER.
|
|
|
|
Errors discovered using `erldocs`:
Superfluous @hidden tag would exit edoc application;
'Multiple @spec tag': appended a @clear tag after macro condition;
'@spec arity does not match': added missing argument.
|
|
* ia/public_key/specs:
public_key: Export some dialyzer types
|
|
Move dilayzer types from include file to erl file and use
-export_type
|
|
|
|
|
|
|
|
public_key:private_key/0 was referenced but undefined, and lib/ssl had a
local definition of private_key/0.
To fix that, make the following changes:
* add public_key:private_key/0 type
* document public_key/0 and private_key/0
* fix incorrect definitions and references
|
|
* ia/Vagabond/adt-honor-cipher-order/OTP-11621:
Implement 'honor_cipher_order' SSL server-side option
|
|
Conflicts:
otp_build
|
|
did not support secure renegotiation
|
|
HonorCipherOrder as implemented in Apache, nginx, lighttpd, etc. This
instructs the server to prefer its own cipher ordering rather than the
client's and can help protect against things like BEAST while
maintaining compatability with clients which only support older ciphers.
This code is mostly written by Andrew Thompson, only the test case was
added by Andreas Schultz.
|
|
|
|
|
|
The server code erroneously took the list of curves supported by the
client from it's own hello extension, effectively breaking curve
selection all together.
Also the default fallback secp256k1 curve is not supported by
all clients. secp256r1 is recommended as part of the NIST Suite B
cryptographic suites. The chances are much better that all clients
support it, so use that as fallback.
|
|
|
|
|
|
Newer OpenSSL versions allow to selectively disable GF2m elliptic curves.
Selectively enable GF2m curves is support for them is available.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
New design : ssl - Main
tls - Reflect tls specific semantics
dtls - Reflect dtls specific semantics
|
