Age | Commit message (Collapse) | Author |
|
|
|
Check that the certificate chain ends with a trusted ROOT CA e.i. a
self-signed certificate, but provide an option partial_chain to
enable the application to define an intermediat CA as trusted.
TLS RFC says:
"unknown_ca
A valid certificate chain or partial chain was received, but the
certificate was not accepted because the CA certificate could not
be located or couldn't be matched with a known, trusted CA. This
message is always fatal."
and also states:
"certificate_list
This is a sequence (chain) of certificates. The sender's
certificate MUST come first in the list. Each following
certificate MUST directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate that specifies the root
certificate authority MAY be omitted from the chain, under the
assumption that the remote end must already possess it in order to
validate it in any case."
X509 RFC says:
"The selection of a trust anchor is a matter of policy: it could be
the top CA in a hierarchical PKI, the CA that issued the verifier's
own certificate(s), or any other CA in a network PKI. The path
validation procedure is the same regardless of the choice of trust
anchor. In addition, different applications may rely on different
trust anchors, or may accept paths that begin with any of a set of
trust anchors."
|
|
Use generated certs instead of hard coded
|
|
* dnet/parse_sni:
added SNI decode test to SSL handshake suite
ssl: parse SNI in received client hello records
OTP-12048
|
|
|
|
|
|
* RoadRunnr/ssl/fix-tests:
SSL: fix OpenSSL known renegotiation bug detection
SSL: in tests, filter ssl client ciphers for version compatibility
|
|
algorithms
With the addition of more ciphers that are not supported in all
configurations, using a manually prefiltered cipher list (e.g. EC vs.
non-EC ciphers) becomes to complex. Replace the manual split with
ssl_cipher:filter_suites/1 in all places.
Conflicts:
lib/ssl/src/ssl.erl
lib/ssl/src/tls_v1.erl
|
|
The OpenSSL detection match would actually consider all 1.0.1 versions
as affected when really only 1.0.1 - 1.0.1c are.
|
|
Some psk and some not yet supported anonymous suites are only supported
with TLS version >= 1.2. This adds them to the tests and makes sure
that they are not tested on TLS versions that do not support them.
|
|
|
|
|
|
* ia/ssl/inherit/OTP-11897:
ssl: Handle socket option inheritance when pooling of accept sockets is used
|
|
Implement a listen socket tracker process that holds the emulated socket
options so that it is possible to implement a destructive ssl:setopts
on SSL/TLS listen sockets without changing the options of the internal
socket as we want that socket to have the internal socket option values.
|
|
|
|
|
|
If a client sends some garbage in ssl record instead of
valid fragment, server crashes with function_clause while
receiving next record from client.
This patch makes server raise handshake failure instead of
crashing and exposing internal state to user code.
|
|
Also fix DTLS call to supply its corresponding TLS version
|
|
Negotiated version is now always passed to ssl_handshake:select_hashsign
because ssl_handshake:select_cert_hashsign has different rsa defaults on
tlsv1.2 and older versions.
|
|
|
|
* ia/ssl/recv/OTP-11878:
ssl: recv shall ruturn {error, einval} on active socket
|
|
|
|
When selecting the available cipher suites for the server all cipher suites
for the highest supported SSL/TLS-version would be selected, and not
all supported for the negotiated SSL/TLS-version. This could lead
to that faulty clients could negotiate cipher suites that they
can not support. This change will enable the faulty client to negotiate
another cipher suite that it can support.
|
|
* ia/ssl/accept-with-options:
ssl: Add possibility to specify ssl options when calling ssl:ssl_accept
|
|
|
|
Certificates uses: default_md = sha256
This is not supported on all test platforms, use md5 instead for testing.
|
|
|
|
|
|
|
|
* Handle v1 CRLs, with no extensions.
* Compare the IDP on a CRL correctly, if present
* Don't try to double-decode altnames
Tests are also included, and the make_certs testing tool in the SSL
application has been greatly extended.
|
|
unexpected alerts.
Add recognitions of RFC 4366 alerts and handle possible
unimplementd alerts in a gracefully way.
|
|
When TLS client sends a Supported Elliptic Curves Client Hello Extension
containing an unknown curve enum value, a server crashes with a
function_clause instead of just ignoring specified unknown curve.
|
|
Avoid puzzling behavior due to options being disregarded if they
are not key value tuples.
|
|
* schlagert/fix_basic_appups:
Dynamically configure typer_SUITE according to environment
Disable hipe_SUITE when environment doesn't support it
Make hipe non-upgradable by setting appup file empty
Fix missing module on hipe app file template
Add test suites performing app and appup file checks
Introduce appup test utility
Fix library application appup files
Fix non-library appup files according to issue #240
OTP-11744
|
|
Add the mentioned test suites for *all* library and touched
non-library applications.
|
|
|
|
|
|
|
|
* ia/ssl/tests:
ssl: Avoid test case timing issues
|
|
* ia/Vagabond/adt-honor-cipher-order/OTP-11621:
Implement 'honor_cipher_order' SSL server-side option
|
|
|
|
Conflicts:
otp_build
|
|
did not support secure renegotiation
|
|
* dgud/test_unicode/OTP-10877:
sasl test: Quote executable paths (can contain spaces)
rt_tools: Handle unicode chars in printouts
kernel: code_SUITE fix unicode option
Fix (unicode) debug info in test cases
stdlib: Fix format if module resides in a unicode directory
Fix testing with unicode paths
test_server: Fix ts write unicode in config files
|
|
HonorCipherOrder as implemented in Apache, nginx, lighttpd, etc. This
instructs the server to prefer its own cipher ordering rather than the
client's and can help protect against things like BEAST while
maintaining compatability with clients which only support older ciphers.
This code is mostly written by Andrew Thompson, only the test case was
added by Andreas Schultz.
|
|
* ia/ssl/openssl-reneogtiation-bug:
ssl: Add versions to check for sane OpenSSL version for renegotiation
|
|
|
|
|
|
|
|
|