Age | Commit message (Collapse) | Author |
|
The keyexchange ECDHE-RSA requires an RSA-keyed server cert
(corresponding for ECDHE-ECDSA), the code did not assert this
resulting in that a incorrect cipher suite could be selected.
Alas test code was also wrong hiding the error.
|
|
Conflicts:
lib/ssl/test/ssl_ECC_SUITE.erl
|
|
|
|
ECDH suite handling did not use the EC parameters form the certs
as expected.
Conflicts:
lib/ssl/src/ssl_cipher.erl
|
|
Fix test case code to use keyAgreement for ECDH_ECDSA
Conflicts:
lib/ssl/test/ssl_ECC.erl
lib/ssl/test/ssl_ECC_openssl_SUITE.erl
lib/ssl/test/ssl_to_openssl_SUITE.erl
|
|
When test handling was corrected it was obvious that DTLS ECC handling
was not compleated.
Conflicts:
lib/ssl/src/ssl.erl
lib/ssl/test/Makefile
lib/ssl/test/ssl_ECC.erl
lib/ssl/test/ssl_ECC_SUITE.erl
lib/ssl/test/ssl_ECC_openssl_SUITE.erl
|
|
Preferably customized cipher suites will be based on the default value.
But all may be used as base and hence it will be good to
handle anonymous suites separately as they are intended for testing purposes.
|
|
LibreSSL-2.6.3 dropped DSS (DSA) support
|
|
Stream ciphers are not valid fro DTLS
|
|
Client will retransmit until server becomes responsive
|
|
This is a preparation for improvements to come in option handling and
support for TLS-1.3
|
|
The ssl application uses the new function in many of its test cases.
|
|
Add exception for DTLS (not only TLS) against this broken version.
Make sure configuration is clean for default test group.
|
|
Otherwhise test can be wrongly initialized and will fail as they try to run
with a broken setup.
|
|
Problems with failure of ssl_certificate_verify_SUITE when enabling DTLS-1
tests in ssl_basic_SUITE was a combination of the bug fixed by the
previous commit and missing clean up code for dtls_protocol_versions
application environment variable
|
|
angelhof/public_key/generate_key-rsa-inconsistency-fix
public_key:generate_key/1 RSA key generation inconsistency
OTP-14534
|
|
* ingela/ssl/cert-handling:
ssl: Correct cipher suite handling
ssl: Modernize DSA cert chain generation
ssl: Clean
ssl: Remove test of OpenSSL
ssl: Use new cert generation
|
|
* ingela/dtls/cuddle:
ssl: Handle OpenSSL output correctly
|
|
This is mainly fixing the test suites so that they test the intended cipher
suites, issue reported in ERL-460.
Also ssl_cipher:anonymous_suites was corrected for DTLS.
|
|
|
|
Adjust to handle output from OpenSSL in a more general way, so that
"unknown option" should be caught for all cases and the test case
skipped if that is the case and other data form OpenSSL should be
ignored.
|
|
This code was not used and we already have mixed chains ECDH_RSA tests
|
|
|
|
|
|
|
|
The -ssl2 option to s_client appears to be broken on this release.
This is a legacy option anyway that is still tested on other old
version of OpenSSL so skip this.
|
|
|
|
Test should check that we get the expected key exchange algorithm
for the provided server cert. We do not want to test OpenSSL s_server.
Do not try to test cipher suites against OpenSSL that it does not
support.
|
|
* ingela/ssl/windows-cuddle:
ssl: Only run sslv2 reject tests on old OpenSSL version
ssl: Try to workaround OpenSSL windows obscurities
|
|
|
|
|
|
When the server_name_indication is sent automatize the
clients check of that the hostname is present in the
servers certificate. Currently server_name_indication shall
be on the dns_id format. If server_name_indication is disabled
it is up to the user to do its own check in the verify_fun.
|
|
|
|
With the new help functions for creating test data we can simplify the
code. And sometimes corrections have been made so that the test actually
perform the test intended.
|
|
The certificate chain handling had become quite entangled and
was not correct.
|
|
* ingela/ssl/make-cert-test-data/OTP-14294:
ssl, public_key: Add functionality for generating X509 cert test data
|
|
For now this functionality is located in ssl. And existing
public_key function is extended. However some of the functionality may
be moved to public_key in a later stage.
|
|
Add session_id and remove undocumented ssl:session_info/1
Add client_random, server_random and master_secret, they will not be included
in ssl:connection_information/1 as they may affect the connections security if
used recklessly.
|
|
|
|
|
|
We need to figure out a good way of knowing if the OpenSSL-"DTLS server" is up.
Some of the code in this commit is attempting this, but it is not really working
yet, and hence only tests where OpenSSL is client are enabled.
|
|
|
|
DTLS does not support stream ciphers and needs diffrent
handling of the "#ssl_socket{}" handle .
|
|
|
|
ECC certs should preferably use SHA2, this is what we want to be
testing. Also assembling of all available test suites must consider TLS version.
|
|
Test suite did not take TLS-version in to account. Also
some anonymous suites where included incorrectly in some TLS versions.
|
|
|
|
Avoid to run tests of algorithms not supported by crypto.
|
|
Tests in ECC_SUITE did not always use the certs implied by the
name. Variable naming also confused the intent.
ssl_certificate_verify_SUITE did not clean up properly and tests could
fail due to cache problems.
|
|
|