| Age | Commit message (Collapse) | Author |
|---|
|
Adjust to handle output from OpenSSL in a more general way, so that
"unknown option" should be caught for all cases and the test case
skipped if that is the case and other data form OpenSSL should be
ignored.
|
|
The -ssl2 option to s_client appears to be broken on this release.
This is a legacy option anyway that is still tested on other old
version of OpenSSL so skip this.
|
|
|
|
RSA signed certs
|
|
|
|
|
|
The commit 8b10920 (OTP 19.3.1) fixed the non-delivery of final TLS
record in {active, once}, but this causes the ssl_closed message to be
lost when the TCP connection closes before ssl:close/1. The patch
restores the behavior of OTP 18.
This is the second part to fix https://bugs.erlang.org/browse/ERL-420
|
|
Test should check that we get the expected key exchange algorithm
for the provided server cert. We do not want to test OpenSSL s_server.
Do not try to test cipher suites against OpenSSL that it does not
support.
|
|
|
|
* ingela/ssl/bench-certs:
ssl: Disable Server Name verification in bench tests for now
|
|
|
|
* ingela/ssl/windows-cuddle:
ssl: Only run sslv2 reject tests on old OpenSSL version
ssl: Try to workaround OpenSSL windows obscurities
|
|
|
|
|
|
When the server_name_indication is sent automatize the
clients check of that the hostname is present in the
servers certificate. Currently server_name_indication shall
be on the dns_id format. If server_name_indication is disabled
it is up to the user to do its own check in the verify_fun.
|
|
|
|
With the new help functions for creating test data we can simplify the
code. And sometimes corrections have been made so that the test actually
perform the test intended.
|
|
The certificate chain handling had become quite entangled and
was not correct.
|
|
* ingela/ssl/make-cert-test-data/OTP-14294:
ssl, public_key: Add functionality for generating X509 cert test data
|
|
For now this functionality is located in ssl. And existing
public_key function is extended. However some of the functionality may
be moved to public_key in a later stage.
|
|
Add session_id and remove undocumented ssl:session_info/1
Add client_random, server_random and master_secret, they will not be included
in ssl:connection_information/1 as they may affect the connections security if
used recklessly.
|
|
|
|
|
|
We want to avoid failing test cases but still be able to merge
DTLS progress for 19.3
|
|
|
|
The new_options_in_accept test is not working yet, however DTLS is still
work in progress and we want to make a progress merge to avoid merge conflicts
with other progress of the ssl application.
|
|
We need to figure out a good way of knowing if the OpenSSL-"DTLS server" is up.
Some of the code in this commit is attempting this, but it is not really working
yet, and hence only tests where OpenSSL is client are enabled.
|
|
|
|
Change retransmissions timers to use gen_statem state timeouts. We do
not need a retransmission timer in the state connection as data traffic in
DTLS over UDP is not retransmitted. If the last flight before
transitioning into connection is lost, it will be resent when the peer
resends its last flight. This will also make hibernation testing more
straight forward.
We need more adjustments later to handle a reliable DTLS transport
such as SCTP.
|
|
DTLS does not support stream ciphers and needs diffrent
handling of the "#ssl_socket{}" handle .
|
|
|
|
common_test requires that if init_per_suite/1 exists, then
end_per_suite/1 must also exist. If end_per_suite/1 does not exist,
then it will be marked in the log as failed with reason 'undef'. Some
test suites are corrected to avoid this.
|
|
|
|
|
|
Valid SSL 3.0 or TLS hellos might accidentally match SSL 2.0 format
(and sometimes the other way around before inspecting data)
so we need to match SSL 3.0 and TLS first and only match SSL 2.0
hellos when flag to support it is set.
|
|
|
|
* ingela/ssl/crl-validity:
ssl: Make crls valid for a week instead of 24 hours
|
|
|
|
* egil/percept/remove-application/OTP-14163:
ssl: Remove percept from benchmark
otp: Don't mention percept in documentation
runtime_tools: Remove percept
percept: Remove application
|
|
|
|
The PEM cache handling has proven to be too disruptive of the manager process.
|
|
If a handshake message is really big it could happen that the ssl
process would hang due to failing of requesting more data from the
socket. This has been fixed.
Also added option to limit max handshake size. It has a default
value that should be big enough to handle normal usage and small
enough to mitigate DoS attacks.
|
|
With the 24 option we might be unlucky and get failing tests just because
cert expired before the test is run.
|
|
|
|
* ingela/dtls/statem/OTP-12982:
ssl: Implement DTLS state machine
|
|
* ingela/ECC-tests:
ssl: Make sure common-test priv_dir is used for test case generated files
|
|
Beta DTLS, not production ready. Only very basically tested, and
not everything in the SPEC is implemented and some things
are hard coded that should not be, so this implementation can not be consider
secure.
Refactor "TLS connection state" and socket handling, to facilitate
DTLS implementation.
Create dtls "listner" (multiplexor) process that spawns
DTLS connection process handlers.
Handle DTLS fragmentation.
Framework for handling retransmissions.
Replay Detection is not implemented yet.
Alerts currently always handled as in TLS.
|
|
ECC certs should preferably use SHA2, this is what we want to be
testing. Also assembling of all available test suites must consider TLS version.
|
|
* ingela/ssl/tune-timeouts-packet_SUITE:
ssl: Change to more modest timeouts
|
|
We where never really satisfied with this workaround it was
a bit far fetched, so we are pleased to be able to remove it.
|
