Age | Commit message (Collapse) | Author |
|
The keyexchange ECDHE-RSA requires an RSA-keyed server cert
(corresponding for ECDHE-ECDSA), the code did not assert this
resulting in that a incorrect cipher suite could be selected.
Alas test code was also wrong hiding the error.
|
|
* ingela/ssl/engine-vs-certfile/ERLERL-211/OTP-15193:
ssl: Engine key trumps certfile option
|
|
|
|
Conflicts:
lib/ssl/test/ssl_basic_SUITE.erl
|
|
Conflicts:
lib/ssl/test/ssl_ECC_SUITE.erl
|
|
Failing to recognize psk as an anonymous key exchange would fail the connection
when trying to decode an undefined certificate.
|
|
|
|
The Key Usage extension is described in section 4.2.1.3 of X.509, with the following possible flags:
KeyUsage ::= BIT STRING {
digitalSignature (0),
nonRepudiation (1), -- recent editions of X.509 have
-- renamed this bit to contentCommitment
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8) }
In SSL/TLS, when the server certificate contains a RSA key, then:
either a DHE or ECDHE cipher suite is used, in which case the RSA key
is used for a signature (see section 7.4.3 of RFC 5246: the "Server
Key Exchange" message); this exercises the digitalSignature key usage;
or "plain RSA" is used, with a random value (the 48-byte pre-master
secret) being encrypted by the client with the server's public key
(see section 7.4.7.1 of RFC 5246); this is right in the definition of
the keyEncipherment key usage flag.
dataEncipherment does not apply, because what is encrypted is not
directly meaningful data, but a value which is mostly generated
randomly and used to derive symmetric keys. keyAgreement does not
apply either, because that one is for key agreement algorithms which
are not a case of asymmetric encryption (e.g. Diffie-Hellman). The
keyAgreement usage flag would appear in a certificate which contains a
DH key, not a RSA key. nonRepudiation is not used, because whatever is
signed as part of a SSL/TLS key exchange cannot be used as proof for a
third party (there is nothing in a SSL/TLS tunnel that the client
could record and then use to convince a judge when tring to sue the
server itself; the data which is exchanged within the tunnel is not
signed by the server).
When a ECDSA key is used then "keyAgreement" flag is needed for beeing
ECDH "capable" (as opposed to ephemeral ECDHE)
|
|
ECDH suite handling did not use the EC parameters form the certs
as expected.
Conflicts:
lib/ssl/src/ssl_cipher.erl
|
|
Fix test case code to use keyAgreement for ECDH_ECDSA
Conflicts:
lib/ssl/test/ssl_ECC.erl
lib/ssl/test/ssl_ECC_openssl_SUITE.erl
lib/ssl/test/ssl_to_openssl_SUITE.erl
|
|
When test handling was corrected it was obvious that DTLS ECC handling
was not compleated.
Conflicts:
lib/ssl/src/ssl.erl
lib/ssl/test/Makefile
lib/ssl/test/ssl_ECC.erl
lib/ssl/test/ssl_ECC_SUITE.erl
lib/ssl/test/ssl_ECC_openssl_SUITE.erl
|
|
answer to a certificate request
Solves ERL-599
|
|
Anonymous cipher suites were broken altogether, and
there was an earlier issue where the server would send a signature
in the server key exchange if a certificate was configured, even
if an anonymous suite was actually negotiated.
Backport of PR-1729
|
|
|
|
Preferably customized cipher suites will be based on the default value.
But all may be used as base and hence it will be good to
handle anonymous suites separately as they are intended for testing purposes.
|
|
|
|
LibreSSL-2.6.3 dropped DSS (DSA) support
|
|
|
|
Make sure tests are run with intended version settings.
|
|
* ingela/ssl/timeout-cuddle:
ssl: Tune timeouts
|
|
|
|
Stream ciphers are not valid fro DTLS
|
|
Client will retransmit until server becomes responsive
|
|
This is a preparation for improvements to come in option handling and
support for TLS-1.3
|
|
|
|
* ingela/dtls/no-packet-upd/OTP-14664:
ssl: No support for packet option over unreliable transport
|
|
|
|
Use hradcoded rsa keys as this will work on all legacy platforms.
In test case dns_name_reuse only do the relevant client check in the
final test.
|
|
|
|
If no SNI is available and the hostname is an IP-address also check
for IP-address match. This check is not as good as a DNS hostname check
and certificates using IP-address are not recommended.
|
|
|
|
|
|
The ssl application uses the new function in many of its test cases.
|
|
Add exception for DTLS (not only TLS) against this broken version.
Make sure configuration is clean for default test group.
|
|
Otherwhise test can be wrongly initialized and will fail as they try to run
with a broken setup.
This is an addition to b3ca5727169deaa38917edca8288dcaff9a36800 that accidently
was the wrong version of that branch.
|
|
Otherwhise test can be wrongly initialized and will fail as they try to run
with a broken setup.
|
|
* ingela/ssl/dtls-alert-handling/OTP-14078:
dtls: Customize alert handling for DTLS over UDP
|
|
Test that DTLS handles "high" level packet types as http-packet types.
Low level packet type as {packet, 2} we will consider later if they
should be relevant to support or not.
|
|
Also run this suit on all TLS versions
|
|
|
|
Problems with failure of ssl_certificate_verify_SUITE when enabling DTLS-1
tests in ssl_basic_SUITE was a combination of the bug fixed by the
previous commit and missing clean up code for dtls_protocol_versions
application environment variable
|
|
angelhof/public_key/generate_key-rsa-inconsistency-fix
public_key:generate_key/1 RSA key generation inconsistency
OTP-14534
|
|
* ingela/ssl/timeout-cuddle:
ssl: Longer timeouts for test cases that do many handshakes
|
|
From RFC 6347:
4.1.2.7. Handling Invalid Records
Unlike TLS, DTLS is resilient in the face of invalid records (e.g.,
invalid formatting, length, MAC, etc.). In general, invalid
records SHOULD be silently discarded, thus preserving the
association; however, an error MAY be logged for diagnostic
purposes. Implementations which choose to generate an alert
instead, MUST generate fatal level alerts to avoid attacks where
the attacker repeatedly probes the implementation to see how it
responds to various types of error. Note that if DTLS is run over
UDP, then any implementation which does this will be extremely
susceptible to denial-of-service (DoS) attacks because UDP forgery
is so easy. Thus, this practice is NOT RECOMMENDED for such
transports.
|
|
* ingela/ssl/cert-handling:
ssl: Correct cipher suite handling
ssl: Modernize DSA cert chain generation
ssl: Clean
ssl: Remove test of OpenSSL
ssl: Use new cert generation
|
|
|
|
* ingela/dtls/cuddle:
ssl: Handle OpenSSL output correctly
|
|
This is mainly fixing the test suites so that they test the intended cipher
suites, issue reported in ERL-460.
Also ssl_cipher:anonymous_suites was corrected for DTLS.
|
|
|
|
Adjust to handle output from OpenSSL in a more general way, so that
"unknown option" should be caught for all cases and the test case
skipped if that is the case and other data form OpenSSL should be
ignored.
|