aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/test
AgeCommit message (Collapse)Author
2014-09-10ssl: One more workaround as tcp has no delivery gurantee on application levelIngela Anderton Andin
2014-09-09ssl, public_key: Add new option partial_chainIngela Anderton Andin
Check that the certificate chain ends with a trusted ROOT CA e.i. a self-signed certificate, but provide an option partial_chain to enable the application to define an intermediat CA as trusted. TLS RFC says: "unknown_ca A valid certificate chain or partial chain was received, but the certificate was not accepted because the CA certificate could not be located or couldn't be matched with a known, trusted CA. This message is always fatal." and also states: "certificate_list This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case." X509 RFC says: "The selection of a trust anchor is a matter of policy: it could be the top CA in a hierarchical PKI, the CA that issued the verifier's own certificate(s), or any other CA in a network PKI. The path validation procedure is the same regardless of the choice of trust anchor. In addition, different applications may rely on different trust anchors, or may accept paths that begin with any of a set of trust anchors."
2014-08-11ssl: Test ECDSA and improve test suite maintainabilityIngela Anderton Andin
Use generated certs instead of hard coded
2014-07-07Merge branch 'dnet/parse_sni' into maintBruce Yinhe
* dnet/parse_sni: added SNI decode test to SSL handshake suite ssl: parse SNI in received client hello records OTP-12048
2014-06-12ssl: Test case stabilityIngela Anderton Andin
2014-06-05added SNI decode test to SSL handshake suiteAndrás Veres-Szentkirályi
2014-06-04Merge branch 'RoadRunnr/ssl/fix-tests' into maintMarcus Arendt
* RoadRunnr/ssl/fix-tests: SSL: fix OpenSSL known renegotiation bug detection SSL: in tests, filter ssl client ciphers for version compatibility
2014-06-03SSL: always filter the full list of supported ciphers against the supported ↵Andreas Schultz
algorithms With the addition of more ciphers that are not supported in all configurations, using a manually prefiltered cipher list (e.g. EC vs. non-EC ciphers) becomes to complex. Replace the manual split with ssl_cipher:filter_suites/1 in all places. Conflicts: lib/ssl/src/ssl.erl lib/ssl/src/tls_v1.erl
2014-05-28SSL: fix OpenSSL known renegotiation bug detectionAndreas Schultz
The OpenSSL detection match would actually consider all 1.0.1 versions as affected when really only 1.0.1 - 1.0.1c are.
2014-05-28SSL: in tests, filter ssl client ciphers for version compatibilityAndreas Schultz
Some psk and some not yet supported anonymous suites are only supported with TLS version >= 1.2. This adds them to the tests and makes sure that they are not tested on TLS versions that do not support them.
2014-05-27ssl: Correct test SUITEIngela Anderton Andin
2014-05-26ssl: Add ssl options to listen options trackerIngela Anderton Andin
2014-05-12Merge branch 'ia/ssl/inherit/OTP-11897' into maintIngela Anderton Andin
* ia/ssl/inherit/OTP-11897: ssl: Handle socket option inheritance when pooling of accept sockets is used
2014-05-09ssl: Handle socket option inheritance when pooling of accept sockets is usedIngela Anderton Andin
Implement a listen socket tracker process that holds the emulated socket options so that it is possible to implement a destructive ssl:setopts on SSL/TLS listen sockets without changing the options of the internal socket as we want that socket to have the internal socket option values.
2014-05-07ssl: SSL/TLS version input list shall not be order dependentIngela Anderton Andin
2014-04-24ssl: Fixes ssl_crl_SUITE errors on mixed ipv6-v4 interfacesHans Nilsson
2014-04-23ssl: Fix crash on garbage during handshakeDanil Zagoskin
If a client sends some garbage in ssl record instead of valid fragment, server crashes with function_clause while receiving next record from client. This patch makes server raise handshake failure instead of crashing and exposing internal state to user code.
2014-04-23ssl: Refactor so that there is only one source for the default hashsign valuesIngela Anderton Andin
Also fix DTLS call to supply its corresponding TLS version
2014-04-23ssl: always pass negotiated version when selecting hashsignDanil Zagoskin
Negotiated version is now always passed to ssl_handshake:select_hashsign because ssl_handshake:select_cert_hashsign has different rsa defaults on tlsv1.2 and older versions.
2014-04-23ssl: TLSv1.2: proper default sign algo for RSADanil Zagoskin
2014-04-22Merge branch 'ia/ssl/recv/OTP-11878' into maintIngela Anderton Andin
* ia/ssl/recv/OTP-11878: ssl: recv shall ruturn {error, einval} on active socket
2014-04-17ssl: recv shall ruturn {error, einval} on active socketIngela Anderton Andin
2014-04-16ssl: Select supported cipher suites for the negotiated SSL/TLS-versionIngela Anderton Andin
When selecting the available cipher suites for the server all cipher suites for the highest supported SSL/TLS-version would be selected, and not all supported for the negotiated SSL/TLS-version. This could lead to that faulty clients could negotiate cipher suites that they can not support. This change will enable the faulty client to negotiate another cipher suite that it can support.
2014-03-31Merge branch 'ia/ssl/accept-with-options'Ingela Anderton Andin
* ia/ssl/accept-with-options: ssl: Add possibility to specify ssl options when calling ssl:ssl_accept
2014-03-31ssl: Add possibility to specify ssl options when calling ssl:ssl_acceptIngela Anderton Andin
2014-03-28ssl: Testing - sha256 digest not supported on all platformsBjörn-Egil Dahlberg
Certificates uses: default_md = sha256 This is not supported on all test platforms, use md5 instead for testing.
2014-03-28ssl: fix crl test suite error with unexpected web server responseHans Nilsson
2014-03-26ssl, pubkey: Code and test adjustmentsHans Nilsson
2014-03-26Rework IDP validation according to the RFC, fix public_key testsAndrew Thompson
2014-03-26Various improvements to CRL handlingAndrew Thompson
* Handle v1 CRLs, with no extensions. * Compare the IDP on a CRL correctly, if present * Don't try to double-decode altnames Tests are also included, and the make_certs testing tool in the SSL application has been greatly extended.
2014-03-25ssl: Handle SNI alert unrecognized_name and gracefully deal withIngela Anderton Andin
unexpected alerts. Add recognitions of RFC 4366 alerts and handle possible unimplementd alerts in a gracefully way.
2014-03-14Add test for unknown elliptic curve supported by clientDanil Zagoskin
When TLS client sends a Supported Elliptic Curves Client Hello Extension containing an unknown curve enum value, a server crashes with a function_clause instead of just ignoring specified unknown curve.
2014-03-04ssl: Add input sanity checkIngela Anderton Andin
Avoid puzzling behavior due to options being disregarded if they are not key value tuples.
2014-02-24Merge branch 'schlagert/fix_basic_appups'Siri Hansen
* schlagert/fix_basic_appups: Dynamically configure typer_SUITE according to environment Disable hipe_SUITE when environment doesn't support it Make hipe non-upgradable by setting appup file empty Fix missing module on hipe app file template Add test suites performing app and appup file checks Introduce appup test utility Fix library application appup files Fix non-library appup files according to issue #240 OTP-11744
2014-02-24Add test suites performing app and appup file checksTobias Schlager
Add the mentioned test suites for *all* library and touched non-library applications.
2014-02-21ssl: Add test that memory is not leekedIngela Anderton Andin
2014-02-14ssl: Add test for avoiding a version and chipher suite missmatchIngela Anderton Andin
2014-01-29ssl: Add workaround in test code for openssl s_client bugIngela Anderton Andin
2014-01-28Merge branch 'ia/ssl/tests'Ingela Anderton Andin
* ia/ssl/tests: ssl: Avoid test case timing issues
2014-01-28Merge branch 'ia/Vagabond/adt-honor-cipher-order/OTP-11621'Ingela Anderton Andin
* ia/Vagabond/adt-honor-cipher-order/OTP-11621: Implement 'honor_cipher_order' SSL server-side option
2014-01-27ssl: Avoid test case timing issuesIngela Anderton Andin
2014-01-24Merge branch 'maint'Ingela Anderton Andin
Conflicts: otp_build
2014-01-22ssl: Incorrect inputed cipherlist lead server to think that the clientIngela Anderton Andin
did not support secure renegotiation
2014-01-22Merge branch 'dgud/test_unicode/OTP-10877'Dan Gudmundsson
* dgud/test_unicode/OTP-10877: sasl test: Quote executable paths (can contain spaces) rt_tools: Handle unicode chars in printouts kernel: code_SUITE fix unicode option Fix (unicode) debug info in test cases stdlib: Fix format if module resides in a unicode directory Fix testing with unicode paths test_server: Fix ts write unicode in config files
2014-01-21Implement 'honor_cipher_order' SSL server-side optionAndrew Thompson
HonorCipherOrder as implemented in Apache, nginx, lighttpd, etc. This instructs the server to prefer its own cipher ordering rather than the client's and can help protect against things like BEAST while maintaining compatability with clients which only support older ciphers. This code is mostly written by Andrew Thompson, only the test case was added by Andreas Schultz.
2014-01-21Merge branch 'ia/ssl/openssl-reneogtiation-bug'Ingela Anderton Andin
* ia/ssl/openssl-reneogtiation-bug: ssl: Add versions to check for sane OpenSSL version for renegotiation
2014-01-21Fix (unicode) debug info in test casesDan Gudmundsson
2014-01-14ssl: Add missing options validation of server_name_indicationIngela Anderton Andin
2014-01-14ssl: Add versions to check for sane OpenSSL version for renegotiationIngela Anderton Andin
2013-12-02ssl: Refactor connetion handlingIngela Anderton Andin