| Age | Commit message (Collapse) | Author |
|---|
|
|
|
* rlipscombe/rl-ssl-options:
Ensure single 'raw' option is handled correctly
Pass 'raw' options through
OTP-13166
|
|
If upper limit is reached invalidate the current cache entries, e.i the session
lifetime is the max time a session will be keept, but it may be invalidated
earlier if the max limit for the table is reached. This will keep the ssl
manager process well behaved, not exhusting memeory. Invalidating the entries
will incrementally empty the cache to make room for fresh sessions entries.
|
|
* legoscia/tls_dist_options:
Test interface listen option for TLS distribution
Test socket listen options for TLS distribution
Test port options for TLS distribution
TLS Dist: Use inet_dist_ options
Conflicts:
lib/ssl/src/ssl_tls_dist_proxy.erl
lib/ssl/test/ssl_dist_SUITE.erl
OTP-12838
|
|
* legoscia/tls_dist_nodelay:
Add test for dist_nodelay option
Honour dist_nodelay socket option in tls_dist proxy
OTP-13143
|
|
Add a test to ensure that a single 'raw' option can be passed to
ssl:listen correctly.
Note: multiple raw options are (incorrectly) handled by
inet:listen_options. See
http://erlang.org/pipermail/erlang-questions/2014-March/078371.html
|
|
Add test that checks that the option inet_dist_use_interface is used
when starting a node with TLS distribution.
|
|
Add test that checks that the option inet_dist_listen_options is used
when starting a node with TLS distribution.
This test was adapted from inet_dist_options_options in
erl_distribution_SUITE.
|
|
Add test that checks that the options inet_dist_listen_min and
inet_dist_listen_max are used when starting a node with TLS
distribution.
|
|
Needed after the fix in 120975c4fcb57ecd14031ac046f483e56a3daa4d.
|
|
Run the 'basic' test with dist_nodelay set to false.
|
|
To avoid test case failure due to test case setup timing issues.
Suspected problem is that the listen queue builds up to quickly in
client_unique_session test when running on slow computers.
|
|
|
|
Soft upgrade test did not work as expected due to that the upgrade
frame work keeps the control of the test case process to itself,
so we need a proxy process to receive messages from ssl test framework.
|
|
|
|
* ia/ssl/register-unique-session/OTP-12980:
ssl: Correct return value of default session callback module
|
|
Add possibility to downgrade an SSL/TLS connection to a tcp connection,
and give back the socket control to a user process.
Add application setting to be able to change fatal alert shutdown
timeout, also shorten the default timeout. The fatal alert timeout is
the number of milliseconds between sending of a fatal alert and
closing the connection. Waiting a little while improves the
peers chances to properly receiving the alert so it may
shutdown gracefully.
|
|
ssl_session_cache:select_session/2 returned [sesionid(), #session{}]
instead of #session{} as the API demands.
This was wrongly compensated for in the code in one place making it
look like everything was good. But the client check for unique session
would always fail, potentially making the client session table grow
a lot and causing long setup times.
|
|
|
|
|
|
|
|
* ia/ssl/modern-timetrap:
ssl: Make init functions fail if make_certs:all fails
ssl: Avoid sleep
ssl: modernize timetrap handling
|
|
|
|
When possible avoid sleep in test cases.
|
|
Watchdog is legacy test_server use only ct:timetrap/1
|
|
|
|
The test cases does not use any hooks and including the ts_install_cth
trips up the test case setup on some platforms cuasing the test cases
to fail with {error, enoent}
|
|
* ia/ssl/test-fips:
ssl: Filter suites for openssl FIPS if necessary
|
|
|
|
* ferd/deny-client-renegotiation:
Add disable client-initiated renegotiation option
Conflicts:
lib/ssl/doc/src/ssl.xml
lib/ssl/src/ssl.erl
OTP-12815
|
|
Client-initiated renegotiation is more costly for the server than the
client, and this feature can be abused in denial of service attempts.
Although the ssl application already takes counter-measure for these
(via cooldown periods between renegotiations), it can be useful to
disable the feature entirely.
This patch adds the `{client_renegotiation, boolean()}' option to the
server-side of the SSL application (defaulting to `true' to be
compatible with the current behaviour).
The option disables the ability to do any renegotiation at all in the
protocol's state, reusing the existing denial code, but without opening
the code path that sets up a timed message to eventually reopen it up.
|
|
|
|
Refactored the code and moved client_check before call to
ssl_test_lib:check_result(Server, ExpectedSNIHostname) as this
call may consume client messages ( which is intentional) but was
missed by the test case writer.
|
|
connection_info -> connection_information
|
|
|
|
|
|
* ia/ssl/sleep-cuddle:
ssl: Adjust sleep time in test case
|
|
Adjust time to make sure "enough" time has elapsed. Will have to do
for now.
|
|
The newly added function sni_fun allows dynamic update of SSL options
like keys and certificates depending on different SNI hostname, rather
than a predefined rules of SSL options.
|
|
This commit adds tests for SNI server support in:
* ssl_sni_SUITE.erl
* ssl_to_openssl_SUITE.erl
And some more modifications:
* make_certs also makes two certs for SNI, and adds
extra options for SNI.
|
|
This reverts commit a3cf4eb4cdd2ce178d81b62faa9f47485fd82331.
This workaround is no longer needed as the, TLS-1.2 extension,
signature_algorithm is now correctly ignored by previous TLS versions.
|
|
|
|
|
|
* ia/ssl/cuddle-openssl:
Add workaround for problems with s_client defaults
|
|
|
|
This commit adds support for RFC7301, application-layer protocol
negotiation. ALPN is the standard based approach to the NPN
extension, and is required for HTTP/2.
ALPN lives side by side with NPN and provides an equivalent
feature but in this case it is the server that decides what
protocol to use, not the client.
When both ALPN and NPN are sent by a client, and the server is
configured with both ALPN and NPN options, ALPN will always
take precedence. This behavior can also be found in the OpenSSL
implementation of ALPN.
ALPN and NPN share the ssl:negotiated_protocol/1 function for
retrieving the negotiated protocol. The previously existing
function ssl:negotiated_next_protocol/1 still exists, but has
been deprecated and removed from the documentation.
The tests against OpenSSL require OpenSSL version 1.0.2+.
|
|
|
|
|
|
* ia/ssl/soft-upgrade-test-server-bug-workaround:
ssl: Workaround test server halfwordemulator bug
|
|
As the halfwordemulator is deprecated just skip the test case
during the circumstances that provokes the bug.
|
