aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/test/ssl_crl_SUITE.erl
AgeCommit message (Collapse)Author
2016-09-07ssl: Make sure tests get a clean startIngela Anderton Andin
2016-07-08ssl: Test and test suites shall be independent of each otherIngela Anderton Andin
Make sure ssl application has a fresh start, so that test do not fail due to that other tests did not clean up properly.
2016-06-14Merge branch 'legoscia/ssl_crl_hash_dir-bis/PR-982/OTP-13530'Ingela Anderton Andin
* legoscia/ssl_crl_hash_dir-bis/PR-982/OTP-13530: Skip crl_hash_dir_expired test for LibreSSL Add ssl_crl_hash_dir module Function for generating OpenSSL-style name hashes Add public_key:pkix_match_dist_point Improve formatting for crl_{check,cache} options Add issuer arg to ssl_crl_cache_api lookup callback Conflicts: lib/public_key/test/public_key_SUITE.erl
2016-05-20ssl: Remove use of test_server config macroIngela Anderton Andin
2016-05-19Skip crl_hash_dir_expired test for LibreSSLMagnus Henoch
LibreSSL doesn't like it when we pass a negative number for the -crlhours argument. I'm not sure if there is another way to make it generate a CRL with expiry date in the past, so let's skip that test in this case.
2016-04-05Add ssl_crl_hash_dir moduleMagnus Henoch
This module is an implementation of the ssl_crl_cache_api behaviour. It can be used when there is a directory containing CRLs for all relevant CAs, in the form used by e.g. Apache. The module assumes that the directory is being updated through an external process.
2016-03-15update copyright-yearHenrik Nord
2016-02-17Be suspicious of certificates without CRL DPsMagnus Henoch
Previously, if certificate revocation checking was turned on, and a certificate didn't contain a CRL Distribution Points extension, and there was no relevant CRL in the cache, then ssl_handshake:crl_check would accept the certificate even if the crl_check option was set to reject certificates for which the revocation status could not be determined. With this change, such certificates will only be accepted if the crl_check option was set to best_effort. The process for CRL validation is described in section 6.3 of RFC 5280. The text doesn't mention any special treatment to be given to certificates without distribution points: it just says "For each distribution point..." (section 6.3.3), which would leave the revocation status undetermined, unless there were "any available CRLs not specified in a distribution point but issued by the certificate issuer". Thus the result of this algorithm should be UNDETERMINED in this case, not UNREVOKED, and the crl_check option should govern how the implementation reacts to this result.
2016-01-27Refactor ssl_crl_SUITE: extract crl_verify_error/6Magnus Henoch
Just like crl_verify_valid/5 checks for a positive result given certain options, crl_verify_error/6 checks for a negative result.
2015-06-23Merge branch 'ia/ssl/modern-timetrap'Ingela Anderton Andin
* ia/ssl/modern-timetrap: ssl: Make init functions fail if make_certs:all fails ssl: Avoid sleep ssl: modernize timetrap handling
2015-06-22ssl: Make init functions fail if make_certs:all failsIngela Anderton Andin
2015-06-22ssl: modernize timetrap handlingIngela Anderton Andin
Watchdog is legacy test_server use only ct:timetrap/1
2015-06-18Change license text to APLv2Bruce Yinhe
2015-06-15ssl: Remove unnecessary suite callbackIngela Anderton Andin
The test cases does not use any hooks and including the ts_install_cth trips up the test case setup on some platforms cuasing the test cases to fail with {error, enoent}
2015-03-09ssl: Integrate public_key CRL verification with the ssl applicationIngela Anderton Andin
2014-04-23ssl: Fixes ssl_crl_SUITE errors on mixed ipv6-v4 interfacesHans Nilsson
2014-03-28ssl: fix crl test suite error with unexpected web server responseHans Nilsson
2014-03-26ssl, pubkey: Code and test adjustmentsHans Nilsson
2014-03-26Rework IDP validation according to the RFC, fix public_key testsAndrew Thompson
2014-03-26Various improvements to CRL handlingAndrew Thompson
* Handle v1 CRLs, with no extensions. * Compare the IDP on a CRL correctly, if present * Don't try to double-decode altnames Tests are also included, and the make_certs testing tool in the SSL application has been greatly extended.