Age | Commit message (Collapse) | Author |
|
Remove filter mechanisms that made error messages backwards compatible
with old ssl but hid information about what actually happened.
This does not break the documented API however other reason
terms may be returned, so code that matches on the reason part of
{error, Reason} may fail.
|
|
Certificate db cleaning messages where sent to the wrong process after
restructuring to avoid bottlenecks.
It is possible that the ssl manager process gets two cleaning messages
for the same entry. E.i. first cleaning message is sent and before it
is processed a new reference is allocated and again released for the
entry, generating a second cleaning message.
Also in ssl_manger:handle_info/2 it is possible that there exists a
new reference to an "old" file name with a potential new content.
|
|
|
|
|
|
Conflicts:
erts/emulator/sys/vxworks/sys.c
erts/vsn.mk
lib/ssl/src/ssl_connection.erl
lib/ssl/test/ssl_basic_SUITE.erl
|
|
Reset state so that "recv data" is not sent as "active data" after a recv
timed out and no new recv has been called.
|
|
ssl:ssl_accept/[2,3] or ssl:connect/[3,4] timeout expires.
Add missing function clause to handle timeout during handshake.
The missing clause had the effect that the timeout was wrongly
discarded. Also add an extra test case for the recv timeout
in addition to the one in ssl_packet_SUITE.
The missing functions clause was introduced in 8a789189.
This commit changed the timeout implementation, the previous implememtation
could cause other type of problems as the timeout was client side.
|
|
* ia/ssl/peer-cert-server:
ssl: Add test case for ssl:peercert with client certification
|
|
|
|
|
|
|
|
same as in gen_tcp.
Made error handling of listen sockets as arguments to funtions
expecting a connected socket more inet/gen_tcp like.
|
|
|
|
|
|
The Rizzo tests ran both SSL 3.0 and TLS 1.0 tests in the same test
case but the new group structure that run all relevant test for all
relevant SSL/TLS versions we need to change that to run the protocol version
of the group the we are currently running.
|
|
|
|
|
|
TLS 1.2 allows to negotiate the used PRF,
additional the default PRF uses a different
hash. This change make the PRF selectable
and hardwires the PRF for TLS < 1.2
|
|
ssl sockets.
|
|
|
|
Avoid cach validation with file:file_info/2 as this i too expensive and
causes a bottleneck in the file server. Instead we expose a new API function
ssl:clear_pem_cache/0 to deal with the problem. As we think it will be
of occasional use and the normal case is that the cache will be valid we think
it is the right thing to do.
Convert file paths to binary representation in the ssl API module to
avoid uncessarry calls in file later on.
Also add sanity checks for openssl versions in testsuite due to new
openssl bugs.
|
|
* rc/spell-registered:
Correct spelling of "registered" in various places in the source code
OTP-9925
|
|
Background from erlang-questions:
> We use this test suite to verify our PKIX-path-validation code,
> granted we do not yet support CRL-handling but that is on its
> way. Our verify_fun will let you work around the problem that it
> is not yet supported. (Not so fun for you perhaps but a possible
> solution for now).
this is unfortunately not the case since for versions that contain
commit 4dbf3c9e4ae7cfd19b247353369166d31b8f15e5 (it is in R14B04 and
R15B) the documented behaviour (verify_fun will be called for every
certificate) is broken: the verify_fun will only be called, if the
certificate contains unknown extensions.
it is therefore not useful as a CRL workaround (anymore).
best regards
Stefan Grundmann
|
|
|
|
error.
|
|
The workaround ought to have been added to this case when it was added to
the test case invalid_signature_client
|
|
Rizzo/Duong-Beast attack.
|
|
|
|
|
|
evaluating ssl:recv could be left hanging for ever.
|
|
|
|
The code is refactored and improved to make it easier to insert the
1/n-1 splitting countermeasure Rizzo/Duong-Beast that is really done
in one function clause in ssl:record_split_bin/3
|
|
|
|
process_info(Pid, current_function) may return {current_function, undefined}
in some cases but will not in the importante one!
|
|
|
|
|
|
I accidentally removed a little too much, only peercert/2 was deprecated.
|
|
* ia/ssl/remove-old-ssl/OTP-7048:
Remove old ssl implementation and deprecated function ssl:peercert/1
Conflicts:
lib/ssl/test/Makefile
|
|
|
|
|
|
|
|
|
|
|
|
In ssl-4.1.5 temporary clean-up processes would crash resulting in
that the session table would not be cleaned up (e.i. using more and
more memory) and error reports would be printed, but connections would
not be affected.
|
|
When making an SSL connection (either as client or as server), the
process implementing the connection may use as much as hundreds of
kilobytes of memory, even when idle. This is problematic for any
application maintaining more than just a few SSL connections.
This patch introduces the option { hibernate_after, int() } to the
ssl:connect and ssl:listen functions, making the SSL connection
process go into hibernation after the specified number of milliseconds
of inactivity. This will reduce the memory used by the process to
just a few hundred bytes, making applications with thousands or
more SSL connections feasible, as long as most of the connections
are idle for most of the time (which is typically the case).
The approach of making the process go into hibernation only after
some time of inactivity was chosen because hibernation incurs some
CPU usage, and it is therefore not desirable for a process to
hibernate after each call.
|
|
|
|
|
|
|
|
|
|
|