| Age | Commit message (Collapse) | Author |
|---|
|
* peterdmv/ssl/fix-failing-testcases:
ssl: Fix renegotiation testcases
ssl: Fix failing rizzo testcases
ssl: Use IPv4 addresses with openssl s_client
ssl: Use sha256 in test certificates if supported
Change-Id: I11a326be027545e20fbef6f90996b0c8be8c3e50
|
|
This commit fixes failing testcases on OpenBSD 12.0 systems. It
forces openssl s_client to use an IPv4 address if openssl supports
IPv6.
When s_client is called with the argument "localhost" it binds
to the first address returned by getaddrinfo. As the first address
is an IPv6 address on OpenBSD 12.0, the client fails to send
UDP packets to the ssl server that is listening on an IPv4 address.
Change-Id: Ie662d10f4f0d9c803f7a341c9ea7dbe2ac80b556
|
|
This commit fixes ssl_test_lib:appropriate_sha/1 that returns sha256
if it is supported by crypto. It returns sha1 otherwise.
Change-Id: I0bfa4d50bbe3c788551a81d418db2cabc36a4344
|
|
|
|
* peterdmv/ssl/improve_openssl_interop_tests:
ssl: Improve openssl interop tests
Change-Id: I65b63ddb8c8948d246e341f8c821b3b499507cb6
|
|
openssl 1.1.x changed the default ECC curves that made testcases
fail in the ECC suite. openssl s_server and s_client sent
'Illegal Parameter' alert when the CertificateVerify (client) or
ServerKeyExchange (server) message was signed with a curve that
was not present in openssl's default ECC curve list (x25519,
secp256r1, secp521r1, secp384r1, brainpoolP256r1, brainpoolP384r1,
brainpool512r1).
This commit changes the default curve of make_ec_cert_chains to
'secp256r1' and explicitly configures the default curve in
those testcases where the default curve of the ssl application
is expected.
Change-Id: I81ebe1a30b8f863b0e2836b1dad3d8bc767cc47e
|
|
We want to be able to save a specific session to reuse, and make sure
it is reusable immediatly when the connection has been established.
Add client option {reuse_session, SessionID::binary()}
We also do not want clients to save sessions that it did not verify.
Additionaly change behaviour of the client and server to not save sessions
if reuse_session is set to false.
|
|
Remove rizzo rests that made incorrect assumptions
|
|
Cipher test case also needed updating to handle streams correctly
We should not rizzo test chacha20_poly1305
Conflicts:
lib/ssl/test/ssl_basic_SUITE.erl
|
|
Cipher test case also needed updating to handle streams correctly
We should not rizzo test chacha20_poly1305
Conflicts:
lib/ssl/test/ssl_basic_SUITE.erl
|
|
|
|
with handshake
Fix of commit 68d9244ae33e5eea36250c3bb9ffe046a4db5647
|
|
|
|
other purposes than handshaking
|
|
With the new TLS sender process, solving ERL-622, TLS ALERTs sent in
the connection state must be encrypted and sent by the TLS sender
process. This to make sure that the correct encryption state is used
to encode the ALERTS. Care must also be taken to ensure a graceful
close down behavior both for normal shutdown and downgrading from TLS
to TCP.
The original TR ERL-738 is verified by cowboy tests, and close down
behavior by our tests. However we alas have not been able to yet
create a minimal test case for the originating problem.
Also it seems it has become less likely that we run in to the TCP
delivery problem, that is the guarantee is only on transport level,
not application level. Keep work around function in ssl_test_lib but
we can have better test as long as we do not get to much wobbling
tests.
|
|
|
|
Before only some PSK suites would be correctly negotiated and most PSK
ciphers suites would fail the connection.
PSK cipher suites are anonymous in the sense that they do not use
certificates except for rsa_psk.
|
|
The conversion code for different representations of cipher suites
is long an repetitive. We want to hide it in a module that does not
have other functions that we like to look at.
|
|
The keyexchange ECDHE-RSA requires an RSA-keyed server cert
(corresponding for ECDHE-ECDSA), the code did not assert this
resulting in that a incorrect cipher suite could be selected.
Alas test code was also wrong hiding the error.
|
|
|
|
|
|
|
|
|
|
* ingela/ssl/21-enhanchment:
ssl: Add handle_continue/2 and document enhancements
|
|
* deprecation of ssl:ssl_accept/[1,2,3]
* deprecation of ssl:cipher_suites/[0,1]
* More consistent naming
|
|
|
|
|
|
|
|
Depending on context trap_exit flag may be set or not.
So always set trap_exit and consume the EXIT signal and then set it back.
|
|
ECDH suite handling did not use the EC parameters form the certs
as expected.
|
|
Fix test case code to use keyAgreement for ECDH_ECDSA
|
|
* ingela/ssl/test-cuddle:
ssl: Handle EXIT messages from test code correctly
|
|
|
|
When test handling was corrected it was obvious that DTLS ECC handling
was not compleated.
|
|
|
|
Conflicts:
lib/ssl/doc/src/ssl.xml
lib/ssl/src/ssl.erl
lib/ssl/src/ssl_cipher.erl
lib/ssl/test/ssl_basic_SUITE.erl
lib/ssl/test/ssl_test_lib.erl
|
|
Preferably customized cipher suites will be based on the default value.
But all may be used as base and hence it will be good to
handle anonymous suites separately as they are intended for testing purposes.
|
|
|
|
LibreSSL-2.6.3 dropped DSS (DSA) support
|
|
We have discovered interoperability problems, ERL-538, that we
believe needs to be solved in crypto.
|
|
|
|
Stream ciphers are not valid fro DTLS
|
|
Client will retransmit until server becomes responsive
|
|
Conflicts:
lib/ssl/src/ssl_cipher.erl
lib/ssl/src/ssl_handshake.erl
|
|
This is a preparation for improvements to come in option handling and
support for TLS-1.3
|
|
|
|
The ssl application uses the new function in many of its test cases.
|
|
|
|
Add exception for DTLS (not only TLS) against this broken version.
Make sure configuration is clean for default test group.
|
|
|
