| Age | Commit message (Collapse) | Author |
|---|
|
* upstream/dev:
Both the SSLv3 and TLS 1.0/TLS 1.1 specifications require implementations to ignore data following the ClientHello (i.e., extensions) if they do not understand them.
fix unknown ssl extension parsing by changing length from bits to bytes
Temporary disable tests on MAC due to issus with the MAC ODBC drivers
|
|
|
|
Conflicts:
erts/aclocal.m4
erts/include/internal/ethread_header_config.h.in
|
|
* ta/docs-fixes:
Fix misspelling of intermediate
Fix typos in erts/preloaded/src
Fix more misspellings of compatibility
Fix misspelling of kept
Fix misspelling of compatibility in ssl_basic_SUITE
Fix misspelling of compatibility
Fix misspelling of accommodate
Fix misspelling of exceed
Fix misspelling of accidentally
Fix misspelling of erroneous in xmerl_xsd
Fix misspelling of erroneous
Fix misspelling of successful
Fix typos in instrument(3)
Fix typos in dbg(3)
dialyzer: fix a small typo in list_to_bitstring test
Fix typos in cover.erl
Fix typos (variable name) in erl_nif(3)
Fix typos in mod_esi(3)
Fix trivial typos in erlang(3)
OTP-9555
|
|
* upstream/dev:
Support explicit use of packet option httph and httph_bin
|
|
|
|
|
|
|
|
* ia/ssl/connect-twice:
Added test case
|
|
|
|
|
|
* ia/ssl/use-erlang-send-after-instead-of-timer-send-after:
Use erlang:send_after instead of timer:send_after
Conflicts:
lib/ssl/test/ssl_session_cache_SUITE.erl
|
|
Also save latest delay cleanup timer ref so that we can
use erlang:read_timer to write a more reliable
test case.
|
|
|
|
* ia/ssl/longer-timeout-in-testcase:
Time out in test case needs to be longer to make sure clean up is properly executed
|
|
|
|
properly executed
|
|
|
|
In ssl-4.1.5 temporary clean-up processes would crash resulting in
that the session table would not be cleaned up (e.i. using more and
more memory) and error reports would be printed, but connections would
not be affected.
|
|
* hw/call-chmod-without-f:
Call chmod without the "-f" flag
Conflicts:
erts/emulator/test/Makefile
lib/asn1/test/Makefile
lib/crypto/test/Makefile
lib/debugger/test/Makefile
lib/docbuilder/test/Makefile
lib/edoc/test/Makefile
lib/erl_interface/test/Makefile
lib/inviso/test/Makefile
lib/parsetools/test/Makefile
lib/percept/test/Makefile
lib/ssl/test/Makefile
lib/syntax_tools/test/Makefile
lib/test_server/test/Makefile
lib/tools/test/Makefile
OTP-9170
|
|
|
|
When making an SSL connection (either as client or as server), the
process implementing the connection may use as much as hundreds of
kilobytes of memory, even when idle. This is problematic for any
application maintaining more than just a few SSL connections.
This patch introduces the option { hibernate_after, int() } to the
ssl:connect and ssl:listen functions, making the SSL connection
process go into hibernation after the specified number of milliseconds
of inactivity. This will reduce the memory used by the process to
just a few hundred bytes, making applications with thousands or
more SSL connections feasible, as long as most of the connections
are idle for most of the time (which is typically the case).
The approach of making the process go into hibernation only after
some time of inactivity was chosen because hibernation incurs some
CPU usage, and it is therefore not desirable for a process to
hibernate after each call.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
When a verify fun is supplied, it should not be called to verify
the extended_key_usage-extension when it is already verified
by the ssl_certificate:validate_extension/2
|
|
Added cache invalidation control of ssl certificates so that
sessions will not be reused if file content is changed.
There was a glitch in ssl:close that made it possible to
to get eaddrinuse even though reuseadder-option was used.
Also improved tests for better user-close handling.
|
|
|
|
Such reason is that pulic key generation or mnesia:stop might
occasionally take very long time.
|
|
"-f" is a non-standard chmod option which at least SGI IRIX and HP UX do
not support. As the only effect of the "-f" flag is to suppress warning
messages, it can be safely omitted.
|
|
For testing purposes ssl now also support some anonymous cipher suites
when explicitly configured to do so.
Also moved session cache tests to its own suite, so that timeout
of end_per_testcase when the mnesia is used as session cache will
not affect other test cases.
|
|
Conflicts:
lib/public_key/src/pubkey_cert.erl
|
|
Changed the verify fun so that it differentiate between the peer
certificate and CA certificates by using valid_peer or valid as the
second argument to the verify fun. It may not always be trivial or
even possible to know when the peer certificate is reached otherwise.
|
|
DSS-Params may be null in a certificate as it can inherit the
parameters.
Also ignore CA-certs that do not follow ASN-1 spec in RFC 5280.
|
|
Added the functionality so that the verification fun will be called
when a certificate is considered valid by the path validation to allow
access to eachs certificate in the path to the user application.
Removed clause that only check that a extension is not critical,
it does alter the verification rusult only withholds information from
the application.
Try to verify subject-AltName, if unable to verify it let
application try.
|
|
* ia/ssl-http-error-test:
Add test suite for packet http_error.
|
|
|
|
|
|
Changed the behavior of the verify_fun option so that
the application can be responsible for handling path validation
errors even on the server side. Also replaced the not yet
documented validate_extensions_fun to be handled by the
verify_fun instead.
If the verify callback fun returns {fail, Reason}, the verification process is
immediately stopped and an alert is sent to the peer and the TLS/SSL
handshake is terminated. If the verify callback fun returns {valid,
UserState}, the verification process is continued. If the verify callback
fun always returns {valid, UserState}, the TLS/SSL handshake will not be
terminated with respect to verification failures and the connection
will be established. The verify callback fun will also be
able to verify application specific extensions.
|
|
Added support for inputing certificates and keys directly in DER format
these options will override the pem-file options if specified.
|
|
Handling of unkown CA certificats was changed in ssl and
public_key to work as intended.
In the process of doing this some test cases has been corrected as
they where wrong but happened to work together with the
incorrect unknown CA handling.
|
