Age | Commit message (Collapse) | Author |
|
* ingela/ssl/crl-validity:
ssl: Make crls valid for a week instead of 24 hours
|
|
The PEM cache handling has proven to be too disruptive of the manager process.
|
|
If a handshake message is really big it could happen that the ssl
process would hang due to failing of requesting more data from the
socket. This has been fixed.
Also added option to limit max handshake size. It has a default
value that should be big enough to handle normal usage and small
enough to mitigate DoS attacks.
|
|
With the 24 option we might be unlucky and get failing tests just because
cert expired before the test is run.
|
|
|
|
* ingela/dtls/statem/OTP-12982:
ssl: Implement DTLS state machine
|
|
* ingela/ECC-tests:
ssl: Make sure common-test priv_dir is used for test case generated files
|
|
Beta DTLS, not production ready. Only very basically tested, and
not everything in the SPEC is implemented and some things
are hard coded that should not be, so this implementation can not be consider
secure.
Refactor "TLS connection state" and socket handling, to facilitate
DTLS implementation.
Create dtls "listner" (multiplexor) process that spawns
DTLS connection process handlers.
Handle DTLS fragmentation.
Framework for handling retransmissions.
Replay Detection is not implemented yet.
Alerts currently always handled as in TLS.
|
|
ECC certs should preferably use SHA2, this is what we want to be
testing. Also assembling of all available test suites must consider TLS version.
|
|
* ingela/ssl/tune-timeouts-packet_SUITE:
ssl: Change to more modest timeouts
|
|
We where never really satisfied with this workaround it was
a bit far fetched, so we are pleased to be able to remove it.
|
|
|
|
As per RFC 4492 Sec 5.1, the preferred order of selection of named
curves is based on client preferences.
Currently, the SSL application only picks entries according to the
absolute order of entries as tracked in a hardcoded list in code.
This patch changes things so that the client-specified order is
preferred. It also allows a mode where the server can be configured to
override the client's preferred order with its own, although the chosen
ECC must still be within both lists.
The configuration is done through the following options:
- `eccs`, shared by clients and servers alike, allows the specification
of the supported named curves, in their preferred order, and may
eventually support more values for explicit primes and so on.
- `honor_ecc_order`, a server-only option, is similar to
`honor_cipher_order` and will, by default let the server pick the
client-preferred ECC, and otherwise pick the server-preferred one.
The default value for `eccs` is the same as before, although the
server-chosen ECC now defaults to the client rather than previous
choice.
A function `ssl:eccs()` has been added that returns the highest
supported ECCs for the library.
|
|
This should be fine as timeout problem was due to test case
bug that treated a stream as if it was packet oriented.
|
|
|
|
* ingela/ssl/crl_SUITE:
ssl: Make sure test has correct input
|
|
Data collection function active_once_raw/4 did not handle streamed
data correctly (it assumed the stream was "packet oriented"),
which could result in that the test case perceived that
it did not receive all data even though it did.
|
|
Test suite did not take TLS-version in to account. Also
some anonymous suites where included incorrectly in some TLS versions.
|
|
|
|
* ingela/ssl/packet-tests:
ssl: Add timetrap scale calls
ssl: Add nodelay to packet=0|raw tests
|
|
|
|
* ferd/bypass-pem-cache/PR-1143/OTP-13883:
ssl: Add documentation of bypass_pem_cache application environment configuration
ssl: Add new benchmarks to skip file for normal testing
Adding PEM cache bypass benchmark entries
Fixing CRL searching in cache bypass
Add option to bypass SSL PEM cache
|
|
|
|
|
|
init_per_testcase timeout for renegotiation tests would be overridden
by local timeout in test case help function.
|
|
* ingela/ssl/dtls-progress/connection-states-as-maps:
dtls: fix encoding of client hello cookie
dtls: Prepare start of DTLS connection manager with SSL app
ssl: Refactor to use maps for the connection states
ssl, dtls: Refactor sni handling
dtls: Add close/5
dtls: Add renegotiate/2
dtls: Add protocol event handling
ssl: Refactor code so that tls and dtls can share more code
ssl, dtls: Disable V2 compatibility clause from ssl_handshake:update_handshake_history
ssl: Make sure common code for TLS and DTLS uses the TLS Version
ssl: remove unused RecordCB argument from master_secret
dtls: Add reinit_handshake_data/1 to dtls
dtls: replace tls_record with RecordCB in connection_info
Fix version numbers and dependencies
|
|
|
|
|
|
|
|
Even though v2 is never supported v2 hellos can be.
No support for v2 client hellos gives "handshake failiure" alert.
Support for v2 hello but no higher SSL/TLS version offered
gives "protocol version" alert.
|
|
|
|
Avoid to run tests of algorithms not supported by crypto.
|
|
The benchmarks run through the local node only, as an attempt to show
more potential contention on certificate usage.
|
|
* raimo/gen_statem-callback_mode/OTP-13752:
ssl: Upgrade suite testing skipped if stdlib upgrade is required
Fix version numbers and dependencies
Conflicts:
lib/ssl/src/ssl.appup.src
lib/ssl/vsn.mk
|
|
* ingela/ssl/cuddle:
ssl: Test and test suites shall be independent of each other
|
|
Skip some test on really slow solaris machines
|
|
|
|
|
|
Make sure ssl application has a fresh start, so that test do
not fail due to that other tests did not clean up properly.
|
|
Tests in ECC_SUITE did not always use the certs implied by the
name. Variable naming also confused the intent.
ssl_certificate_verify_SUITE did not clean up properly and tests could
fail due to cache problems.
|
|
Function to stop SSL/TLS node may not exit as a test case will start more than
one node and all nodes must be stopped.
|
|
|
|
This should only be used in legacy test case not in test cases
testing other functionality.
|
|
* ingela/ssl/packet_SUITE/test-timeouts:
ssl: Make diffrent timeouts
|
|
Some test cases takes really long time on old machines. But normaly
all tests are under 15 seconds. Try to avoid long timeouts
for all test cases.
Although we like to find a better tuning, set timeouts high for now
to avoid tests cases failing with timeout.
|
|
* ingela/ssl_to_openssl_SUITE-timeouts:
ssl: Timeout tuning
|
|
* ingela/ssl/ssl_basic_SUITE-timeouts:
ssl: Tune timeouts
|
|
* legoscia/ssl_crl_hash_dir-bis/PR-982/OTP-13530:
Skip crl_hash_dir_expired test for LibreSSL
Add ssl_crl_hash_dir module
Function for generating OpenSSL-style name hashes
Add public_key:pkix_match_dist_point
Improve formatting for crl_{check,cache} options
Add issuer arg to ssl_crl_cache_api lookup callback
Conflicts:
lib/public_key/test/public_key_SUITE.erl
|
|
* lukas/erts/testfixes-19:
erts: Increase bif and nif call_time trace test
erts: Fix distribution_SUITE:bulk_send_bigbig on windows
erts: Ensure bs_add_overflow test has enough memory
kernel: Better explain controlling_process' tcp behaviour
kernel: Fix t_recv_delim on bsd
os_mon: Make sure to start/stop os_mon in tests correctly
ssl: Fix use_interface dist_SSL test
erl_interface: Fix signed int overflow tc bug
erts: fix atom_roundtrip_r15b tc
erts: Require more memory for debug tests
|
|
Doing inet:port will cause an port_control to be sent to
the port, and not all ports in the vm can handle having
arbitrary data sent to them.
|