aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/test/make_certs.erl
AgeCommit message (Collapse)Author
2019-01-10Merge branch 'maint'Péter Dimitrov
* maint: ssl: Fix CRL suite with openssl-1.1.1a Change-Id: I18ffe894158e8881af20bba6f6a60b85063b937c
2019-01-09ssl: Fix CRL suite with openssl-1.1.1aPéter Dimitrov
Later versions of openssl do not support negative integers for CRL due time (used for negative testing). As a workaround this commit implements a function that can set CRL due time in seconds and makes the testcase 'crl_hash_dir_expired' sleep for one second. Change-Id: I2ef8b3c6ee545bd09170fa6027cb9ca38cfb42c0
2018-10-15ssl: Implement Signature Algorithms (TLS 1.3)Péter Dimitrov
Implement handling of the signature algorithms extension described by RFC 8446. This commit updates the behavior of legacy TLS versions to align them with RFC 8446 (TLS 1.3) and RFC 5246 (TLS 1.2). - TLS 1.0/1.1 clients validate the client certificate against the certificate_type field of the CertificateRequest message. - TLS 1.2 client verifies the hash/signature algorithm pair of the client certificate when processing a CertificateRequest. Old behavior only checked the signature algorithms. - TLS 1.2 server verifies that the server certificate is signed by a hash/signature algorithm pair that appears in the "singature_algorithms" or "signature_algorithms_cert" (RFC 8446) extensions of the ClientHello. Change-Id: I3e0a0d7408984f5e5b1233968934fe34d64eb2b7
2018-04-27Fix distro CRL test cases short vs long namesRaimo Niskanen
2017-06-14Update copyright yearHans Nilsson
2017-05-06ssl: Add hostname check of server certificateIngela Anderton Andin
When the server_name_indication is sent automatize the clients check of that the hostname is present in the servers certificate. Currently server_name_indication shall be on the dns_id format. If server_name_indication is disabled it is up to the user to do its own check in the verify_fun.
2017-01-12ssl: Make crls valid for a week instead of 24 hoursIngela Anderton Andin
With the 24 option we might be unlucky and get failing tests just because cert expired before the test is run.
2016-12-07Update copyright-yearErlang/OTP
2016-05-19Skip crl_hash_dir_expired test for LibreSSLMagnus Henoch
LibreSSL doesn't like it when we pass a negative number for the -crlhours argument. I'm not sure if there is another way to make it generate a CRL with expiry date in the past, so let's skip that test in this case.
2016-04-05Add ssl_crl_hash_dir moduleMagnus Henoch
This module is an implementation of the ssl_crl_cache_api behaviour. It can be used when there is a directory containing CRLs for all relevant CAs, in the form used by e.g. Apache. The module assumes that the directory is being updated through an external process.
2015-12-14ssl: Do not use environment variables in openSSL config fileIngela Anderton Andin
LibreSSL does not allow it.
2015-06-18Change license text to APLv2Bruce Yinhe
2015-05-12ssl: add tests for SNI server supportQijiang Fan
This commit adds tests for SNI server support in: * ssl_sni_SUITE.erl * ssl_to_openssl_SUITE.erl And some more modifications: * make_certs also makes two certs for SNI, and adds extra options for SNI.
2015-03-09ssl: Integrate public_key CRL verification with the ssl applicationIngela Anderton Andin
2014-04-23ssl: Fixes ssl_crl_SUITE errors on mixed ipv6-v4 interfacesHans Nilsson
2014-03-28ssl: Testing - sha256 digest not supported on all platformsBjörn-Egil Dahlberg
Certificates uses: default_md = sha256 This is not supported on all test platforms, use md5 instead for testing.
2014-03-26Rework IDP validation according to the RFC, fix public_key testsAndrew Thompson
2014-03-26Various improvements to CRL handlingAndrew Thompson
* Handle v1 CRLs, with no extensions. * Compare the IDP on a CRL correctly, if present * Don't try to double-decode altnames Tests are also included, and the make_certs testing tool in the SSL application has been greatly extended.
2012-09-20ssl: Support for SSL Next Protocol NegotiationBen Murphy
* http://technotes.googlecode.com/git/nextprotoneg.html
2011-02-17Update all fin_per_testcase to end_per_testcase.Lukas Larsson
2010-08-18Fix bug in ssl handshake protocol related to the choice of cipher suitesPaul Guyot
in client hello message when a client certificate is used The client hello message now always include ALL available cipher suites (or those specified by the ciphers option). Previous implementation would filter them based on the client certificate key usage extension (such filtering only makes sense for the server certificate).
2010-01-13Add test suite for the ssl applicationDan Gudmundsson