Age | Commit message (Collapse) | Author |
|
* ia/ssl/controlling-process-on-listen-socket/OTP-10447:
ssl: Improve #sslsocket{} API
ssl: It is now possible to call controlling_process on a listen socket, same as in gen_tcp.
|
|
|
|
same as in gen_tcp.
Made error handling of listen sockets as arguments to funtions
expecting a connected socket more inet/gen_tcp like.
|
|
* ia/ssl/npn/OTP-10361:
ssl: Shorten test case names to workaround ct shortcomings on windows
ssl: SSL 3.0 does not support next protocol negotiation
ssl: Dialyzer fixes and code cleaning
ssl: Changed default behaviour of next protocol negotiation to make more "sense" (be true to the specification).
ssl: Update SSL docs for SSL Next Protocol Support
ssl: Support for SSL Next Protocol Negotiation * http://technotes.googlecode.com/git/nextprotoneg.html
|
|
|
|
|
|
Also shorten test cases names to workaround test framework problems
on windows
|
|
Types in a record where wrongly type specified, did not include
undefined. Make them comments for now, maybe we will specify internal
records with dialyzer types later, but as the other record fields are
not specified at the moment, with dialyzer types, make the code
consistent.
|
|
more "sense" (be true to the specification).
|
|
* http://technotes.googlecode.com/git/nextprotoneg.html
|
|
|
|
* ta/docsmaint:
Fix various doc typos for R15B02
Fix various code typos for R15B02
OTP-10245
|
|
|
|
This options is useless and should be deprecated. But we behave
as inet does for now!
|
|
combinations
|
|
This is also avoids triggering some bugs in OpenSSL.
|
|
The Rizzo tests ran both SSL 3.0 and TLS 1.0 tests in the same test
case but the new group structure that run all relevant test for all
relevant SSL/TLS versions we need to change that to run the protocol version
of the group the we are currently running.
|
|
|
|
|
|
|
|
TLS 1.2 allows to negotiate the used PRF,
additional the default PRF uses a different
hash. This change make the PRF selectable
and hardwires the PRF for TLS < 1.2
|
|
TLS 1.2 changes the layout of several handshake
records. This adds the TLS version to dec_hs/2
so it can decode those.
|
|
now that we handle TLS 1.1+ records correctly, the test suite
have to take that into account.
|
|
|
|
ssl sockets.
|
|
* ia/ssl/bottlenecks/OTP-10113:
ssl: Test case fixes
ssl: Avoid second bottleneck in supervisor
ssl: File handling optimization
ssl: Simpler PEM cache
ssl: Refactored for readability
ssl: Use md5 as file ref id instead of filenames
ssl: Move ets:select bottleneck in server
ssl: Renegotiate updates session id in gen_fsm state
ssl: Use ordered_set in cache
ssl: Move and avoid ets:select bottleneck in client
ssl: Reuse session check optimization
ssl: Avoid supervior bottleneck
|
|
|
|
Avoid cach validation with file:file_info/2 as this i too expensive and
causes a bottleneck in the file server. Instead we expose a new API function
ssl:clear_pem_cache/0 to deal with the problem. As we think it will be
of occasional use and the normal case is that the cache will be valid we think
it is the right thing to do.
Convert file paths to binary representation in the ssl API module to
avoid uncessarry calls in file later on.
Also add sanity checks for openssl versions in testsuite due to new
openssl bugs.
|
|
OTP-10106
OTP-10107
|
|
|
|
* rc/spell-registered:
Correct spelling of "registered" in various places in the source code
OTP-9925
|
|
* pg/ssl_dist-fixes:
Robustness and improvement to distribution over SSL
|
|
Fix a bug where the caller would timeout and ssl_tls_dist_proxy would
crash.
Fix a bug where a timeout from the SSL layer would block the
distribution forever (typically when a non-SSL node tries to connect to an
SSL node).
Add this very case as a test (test_server tries to connect to SSL nodes).
Run the proxy exclusively on the loopback interface.
|
|
* ia/ssl/test-maint/reject-sslv2-test:
Do not test sslv2 rejection with openssl-1.*
|
|
Background from erlang-questions:
> We use this test suite to verify our PKIX-path-validation code,
> granted we do not yet support CRL-handling but that is on its
> way. Our verify_fun will let you work around the problem that it
> is not yet supported. (Not so fun for you perhaps but a possible
> solution for now).
this is unfortunately not the case since for versions that contain
commit 4dbf3c9e4ae7cfd19b247353369166d31b8f15e5 (it is in R14B04 and
R15B) the documented behaviour (verify_fun will be called for every
certificate) is broken: the verify_fun will only be called, if the
certificate contains unknown extensions.
it is therefore not useful as a CRL workaround (anymore).
best regards
Stefan Grundmann
|
|
Reason sslv2 support seems to be by default turned of.
|
|
|
|
* ia/ssl/tcp-delivery-problem-may-cause-econnaborted:
If if TLS/SSL-close-notify message is not delivered you can get econnaborted error.
|
|
* ia/ssl/public_key/test-maint:
Add default value for "user" if os:getenv("USER") returns false
|
|
|
|
error.
|
|
Check last delay timer for both client and server side to avoide
timing issues.
|
|
The workaround ought to have been added to this case when it was added to
the test case invalid_signature_client
|
|
Rizzo/Duong-Beast attack.
|
|
|
|
|
|
evaluating ssl:recv could be left hanging for ever.
|
|
|
|
|
|
The code is refactored and improved to make it easier to insert the
1/n-1 splitting countermeasure Rizzo/Duong-Beast that is really done
in one function clause in ssl:record_split_bin/3
|