| Age | Commit message (Collapse) | Author |
|---|
|
ECC certs should preferably use SHA2, this is what we want to be
testing. Also assembling of all available test suites must consider TLS version.
|
|
|
|
|
|
Even though v2 is never supported v2 hellos can be.
No support for v2 client hellos gives "handshake failiure" alert.
Support for v2 hello but no higher SSL/TLS version offered
gives "protocol version" alert.
|
|
* ingela/ssl/cuddle:
ssl: Test and test suites shall be independent of each other
|
|
Skip some test on really slow solaris machines
|
|
Make sure ssl application has a fresh start, so that test do
not fail due to that other tests did not clean up properly.
|
|
This should only be used in legacy test case not in test cases
testing other functionality.
|
|
* ingela/ssl_to_openssl_SUITE-timeouts:
ssl: Timeout tuning
|
|
ssl servers can recognize sslv2 client hellos to interop with clients
that support higher version of SSL/TLS but also offers sslv2
Conflicts:
lib/ssl/src/tls_connection.erl
|
|
|
|
|
|
|
|
|
|
Make sure that options only relevant for one role (client|server) is set
to undefined when the other role is invoked. As there are many options to
ssl, and many are optional, we choose to filter out all undefined options
to avoid overwhelming the user with not relevant information.
This way there is no need for any special handling of the role specific options
which is also nice.
|
|
|
|
As sslv3 is being faced out we need to test for old version support as well as
newer versions.
|
|
* ia/libressl:
ssl: Print openssl version string
ssl: Do not use environment variables in openSSL config file
|
|
|
|
|
|
* ia/ssl/windows-tests:
ssl: Use test case time out instead
ssl: Use spawn_executable
|
|
|
|
|
|
|
|
* ia/ssl/modern-timetrap:
ssl: Make init functions fail if make_certs:all fails
ssl: Avoid sleep
ssl: modernize timetrap handling
|
|
|
|
When possible avoid sleep in test cases.
|
|
Watchdog is legacy test_server use only ct:timetrap/1
|
|
|
|
The test cases does not use any hooks and including the ts_install_cth
trips up the test case setup on some platforms cuasing the test cases
to fail with {error, enoent}
|
|
|
|
Refactored the code and moved client_check before call to
ssl_test_lib:check_result(Server, ExpectedSNIHostname) as this
call may consume client messages ( which is intentional) but was
missed by the test case writer.
|
|
connection_info -> connection_information
|
|
The newly added function sni_fun allows dynamic update of SSL options
like keys and certificates depending on different SNI hostname, rather
than a predefined rules of SSL options.
|
|
This commit adds tests for SNI server support in:
* ssl_sni_SUITE.erl
* ssl_to_openssl_SUITE.erl
And some more modifications:
* make_certs also makes two certs for SNI, and adds
extra options for SNI.
|
|
This reverts commit a3cf4eb4cdd2ce178d81b62faa9f47485fd82331.
This workaround is no longer needed as the, TLS-1.2 extension,
signature_algorithm is now correctly ignored by previous TLS versions.
|
|
* ia/ssl/cuddle-openssl:
Add workaround for problems with s_client defaults
|
|
|
|
This commit adds support for RFC7301, application-layer protocol
negotiation. ALPN is the standard based approach to the NPN
extension, and is required for HTTP/2.
ALPN lives side by side with NPN and provides an equivalent
feature but in this case it is the server that decides what
protocol to use, not the client.
When both ALPN and NPN are sent by a client, and the server is
configured with both ALPN and NPN options, ALPN will always
take precedence. This behavior can also be found in the OpenSSL
implementation of ALPN.
ALPN and NPN share the ssl:negotiated_protocol/1 function for
retrieving the negotiated protocol. The previously existing
function ssl:negotiated_next_protocol/1 still exists, but has
been deprecated and removed from the documentation.
The tests against OpenSSL require OpenSSL version 1.0.2+.
|
|
Use generated certs instead of hard coded
|
|
The OpenSSL detection match would actually consider all 1.0.1 versions
as affected when really only 1.0.1 - 1.0.1c are.
|
|
|
|
|
|
|
|
Make sure that test cases does not fail due to timing circumstances,
use selective receive even if it means we can not use test library functions
in some cases. TCP does not have delivery guarantee to application layer,
so sometimes a error message {error, Msg} or {error, closed} can be acceptable.
|
|
with proper defaults
Added ssl_ECC_SUITE
|
|
As the ASN-1 application relies on a nif in R16 for decodeing (that
was not the case in R15), public_key currently has a runtime
dependency on ASN-1. Hopefully we will be able to remove this
dependency again in the future.
|
|
Also phase in tls module as main API instead of ssl. To
make API clearer. As TLS is the new protocol name.
Maybe keep some API functions in ssl
|
|
|
|
Even in "normal" (not explicitly ECC tests) cases we need to filter out
ECC ciper suites as they are preferd.
|
