Age | Commit message (Collapse) | Author |
|
Make sure that test cases does not fail due to timing circumstances,
use selective receive even if it means we can not use test library functions
in some cases. TCP does not have delivery guarantee to application layer,
so sometimes a error message {error, Msg} or {error, closed} can be acceptable.
|
|
with proper defaults
Added ssl_ECC_SUITE
|
|
As the ASN-1 application relies on a nif in R16 for decodeing (that
was not the case in R15), public_key currently has a runtime
dependency on ASN-1. Hopefully we will be able to remove this
dependency again in the future.
|
|
Also phase in tls module as main API instead of ssl. To
make API clearer. As TLS is the new protocol name.
Maybe keep some API functions in ssl
|
|
|
|
Even in "normal" (not explicitly ECC tests) cases we need to filter out
ECC ciper suites as they are preferd.
|
|
|
|
EEC is not fully supported before 0.9.9. Also skip tests on opensslversions
with known bugs in ECC support
|
|
|
|
follow up enhancments done in commit
e56167dd6ca8d37d26ea7f19933691a3bda41113
Make sure format_error return good strings. Replace confusing legacy atoms
with more descriptive atoms.
|
|
Remove filter mechanisms that made error messages backwards compatible
with old ssl but hid information about what actually happened.
This does not break the documented API however other reason
terms may be returned, so code that matches on the reason part of
{error, Reason} may fail.
|
|
|
|
|
|
protocol-error message we are expecting
|
|
|
|
|
|
more "sense" (be true to the specification).
|
|
* http://technotes.googlecode.com/git/nextprotoneg.html
|
|
|
|
combinations
|
|
This is also avoids triggering some bugs in OpenSSL.
|
|
|
|
|
|
|
|
|
|
Avoid cach validation with file:file_info/2 as this i too expensive and
causes a bottleneck in the file server. Instead we expose a new API function
ssl:clear_pem_cache/0 to deal with the problem. As we think it will be
of occasional use and the normal case is that the cache will be valid we think
it is the right thing to do.
Convert file paths to binary representation in the ssl API module to
avoid uncessarry calls in file later on.
Also add sanity checks for openssl versions in testsuite due to new
openssl bugs.
|
|
Reason sslv2 support seems to be by default turned of.
|
|
The code is refactored and improved to make it easier to insert the
1/n-1 splitting countermeasure Rizzo/Duong-Beast that is really done
in one function clause in ssl:record_split_bin/3
|
|
|
|
If the server process is always closed first shutdown of
the openssl process will be gracious
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Added cache invalidation control of ssl certificates so that
sessions will not be reused if file content is changed.
There was a glitch in ssl:close that made it possible to
to get eaddrinuse even though reuseadder-option was used.
Also improved tests for better user-close handling.
|
|
Such reason is that pulic key generation or mnesia:stop might
occasionally take very long time.
|
|
For testing purposes ssl now also support some anonymous cipher suites
when explicitly configured to do so.
Also moved session cache tests to its own suite, so that timeout
of end_per_testcase when the mnesia is used as session cache will
not affect other test cases.
|
|
Changed test so that the test cases testing all different ciphers
also sends data so that that the calls to crypto cipher functions
are also tested.
|
|
instead of causing a case-clause.
|
|
Ssl has now switched default implementation and removed deprecated
certificate handling. All certificate handling is done by the public_key
application.
|
|
(This is the merge of r13 version to r14_dev)
|
|
New ssl now support client/server-certificates signed by dsa keys.
|
|
|
|
|
|
New ssl now supports secure renegotiation as described by RFC 5746.
|
|
Alert handling has been improved to better handle unexpected but valid
messages and the implementation is also changed to avoid timing related
issues that could cause different error messages depending on network
latency. Packet handling was sort of broken but would mostly work as
expected when socket was in binary mode. This has now been fixed.
|