| Age | Commit message (Collapse) | Author |
|---|
|
Before only some PSK suites would be correctly negotiated and most PSK
ciphers suites would fail the connection.
PSK cipher suites are anonymous in the sense that they do not use
certificates except for rsa_psk.
|
|
Separate sending and receiving when using TCP as transport
as prim_inet:send may block which in turn may result
in a deadlock between two Erlang processes communicating over
TLS, this is especially likely to happen when running Erlang distribution
over TLS.
|
|
The conversion code for different representations of cipher suites
is long an repetitive. We want to hide it in a module that does not
have other functions that we like to look at.
|
|
Transport accepted sockets that are in the error state, was not closed
properly.
|
|
|
|
When doing ssl:controlling_process on a ssl socket that has not
performed the TLS/DTLS handshake that call will succeed even though
the documentation stated otherwise. However if some other ssl option
was incorrect the call would hang. Now {error, closed} will be
returned in the latter case, which is logical independent on if it
should succeed or not in the former case. The former case will continue
to succeed, as it is not dependent of the TLS/DTLS connection being
established, and the documentation is altered slightly to not
explicitly disallow it. If the TLS/DTLS connection later fails and
the socket mode is active, the new controlling process will be
notified as expected.
|
|
|
|
|
|
|
|
Add new API function for converting cipher suite maps
to their textual representation.
Change-Id: I43681930b38e0f3bdb4dfccbf9e8895aa2d6a281
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The interoperability option to fallback to insecure renegotiation
now has to be explicitly turned on.
|
|
Conflicts:
lib/ssl/doc/src/ssl.xml
lib/ssl/src/ssl.erl
lib/ssl/src/ssl_cipher.erl
lib/ssl/test/ssl_basic_SUITE.erl
lib/ssl/test/ssl_test_lib.erl
|
|
Preferably customized cipher suites will be based on the default value.
But all may be used as base and hence it will be good to
handle anonymous suites separately as they are intended for testing purposes.
|
|
|
|
* ingela/DTLS-supported:
ssl: Fix typo
dtls: Add DTLS handling to utility functions
ssl: Document enhancment
ssl: Document DTLS
|
|
* ingela/ssl/no-chacha-default-for-now/ERL-538/OTP-14882:
ssl: Remove chacha ciphers form default for now
|
|
We have discovered interoperability problems, ERL-538, that we
believe needs to be solved in crypto.
|
|
|
|
|
|
* ingela/ssl/remove-rsa-keyexchange-from-default/OTP-14769:
ssl: RSA key exchange is considered broken do not support by default
|
|
|
|
Make sure tests are run with intended version settings.
|
|
|
|
|
|
Otherwhise test can be wrongly initialized and will fail as they try to run
with a broken setup.
This is an addition to b3ca5727169deaa38917edca8288dcaff9a36800 that accidently
was the wrong version of that branch.
|
|
Otherwhise test can be wrongly initialized and will fail as they try to run
with a broken setup.
|
|
* ingela/ssl/dtls-alert-handling/OTP-14078:
dtls: Customize alert handling for DTLS over UDP
|
|
Problems with failure of ssl_certificate_verify_SUITE when enabling DTLS-1
tests in ssl_basic_SUITE was a combination of the bug fixed by the
previous commit and missing clean up code for dtls_protocol_versions
application environment variable
|
|
* ingela/ssl/timeout-cuddle:
ssl: Longer timeouts for test cases that do many handshakes
|
|
From RFC 6347:
4.1.2.7. Handling Invalid Records
Unlike TLS, DTLS is resilient in the face of invalid records (e.g.,
invalid formatting, length, MAC, etc.). In general, invalid
records SHOULD be silently discarded, thus preserving the
association; however, an error MAY be logged for diagnostic
purposes. Implementations which choose to generate an alert
instead, MUST generate fatal level alerts to avoid attacks where
the attacker repeatedly probes the implementation to see how it
responds to various types of error. Note that if DTLS is run over
UDP, then any implementation which does this will be extremely
susceptible to denial-of-service (DoS) attacks because UDP forgery
is so easy. Thus, this practice is NOT RECOMMENDED for such
transports.
|
|
|
|
This is mainly fixing the test suites so that they test the intended cipher
suites, issue reported in ERL-460.
Also ssl_cipher:anonymous_suites was corrected for DTLS.
|
|
|
|
This code was not used and we already have mixed chains ECDH_RSA tests
|
|
|
|
RSA signed certs
|
|
|
|
The commit 8b10920 (OTP 19.3.1) fixed the non-delivery of final TLS
record in {active, once}, but this causes the ssl_closed message to be
lost when the TCP connection closes before ssl:close/1. The patch
restores the behavior of OTP 18.
This is the second part to fix https://bugs.erlang.org/browse/ERL-420
|
|
When the server_name_indication is sent automatize the
clients check of that the hostname is present in the
servers certificate. Currently server_name_indication shall
be on the dns_id format. If server_name_indication is disabled
it is up to the user to do its own check in the verify_fun.
|
|
|
|
Add session_id and remove undocumented ssl:session_info/1
Add client_random, server_random and master_secret, they will not be included
in ssl:connection_information/1 as they may affect the connections security if
used recklessly.
|
|
|
|
We want to avoid failing test cases but still be able to merge
DTLS progress for 19.3
|
