| Age | Commit message (Collapse) | Author |
|---|
|
The commit 8b10920 (OTP 19.3.1) fixed the non-delivery of final TLS
record in {active, once}, but this causes the ssl_closed message to be
lost when the TCP connection closes before ssl:close/1. The patch
restores the behavior of OTP 18.
This is the second part to fix https://bugs.erlang.org/browse/ERL-420
|
|
Test should check that we get the expected key exchange algorithm
for the provided server cert. We do not want to test OpenSSL s_server.
Do not try to test cipher suites against OpenSSL that it does not
support.
|
|
|
|
* ingela/ssl/bench-certs:
ssl: Disable Server Name verification in bench tests for now
|
|
|
|
* ingela/ssl/windows-cuddle:
ssl: Only run sslv2 reject tests on old OpenSSL version
ssl: Try to workaround OpenSSL windows obscurities
|
|
|
|
|
|
When the server_name_indication is sent automatize the
clients check of that the hostname is present in the
servers certificate. Currently server_name_indication shall
be on the dns_id format. If server_name_indication is disabled
it is up to the user to do its own check in the verify_fun.
|
|
|
|
With the new help functions for creating test data we can simplify the
code. And sometimes corrections have been made so that the test actually
perform the test intended.
|
|
The certificate chain handling had become quite entangled and
was not correct.
|
|
* ingela/ssl/make-cert-test-data/OTP-14294:
ssl, public_key: Add functionality for generating X509 cert test data
|
|
For now this functionality is located in ssl. And existing
public_key function is extended. However some of the functionality may
be moved to public_key in a later stage.
|
|
Add session_id and remove undocumented ssl:session_info/1
Add client_random, server_random and master_secret, they will not be included
in ssl:connection_information/1 as they may affect the connections security if
used recklessly.
|
|
|
|
|
|
We want to avoid failing test cases but still be able to merge
DTLS progress for 19.3
|
|
|
|
The new_options_in_accept test is not working yet, however DTLS is still
work in progress and we want to make a progress merge to avoid merge conflicts
with other progress of the ssl application.
|
|
We need to figure out a good way of knowing if the OpenSSL-"DTLS server" is up.
Some of the code in this commit is attempting this, but it is not really working
yet, and hence only tests where OpenSSL is client are enabled.
|
|
|
|
Change retransmissions timers to use gen_statem state timeouts. We do
not need a retransmission timer in the state connection as data traffic in
DTLS over UDP is not retransmitted. If the last flight before
transitioning into connection is lost, it will be resent when the peer
resends its last flight. This will also make hibernation testing more
straight forward.
We need more adjustments later to handle a reliable DTLS transport
such as SCTP.
|
|
DTLS does not support stream ciphers and needs diffrent
handling of the "#ssl_socket{}" handle .
|
|
|
|
common_test requires that if init_per_suite/1 exists, then
end_per_suite/1 must also exist. If end_per_suite/1 does not exist,
then it will be marked in the log as failed with reason 'undef'. Some
test suites are corrected to avoid this.
|
|
|
|
|
|
Valid SSL 3.0 or TLS hellos might accidentally match SSL 2.0 format
(and sometimes the other way around before inspecting data)
so we need to match SSL 3.0 and TLS first and only match SSL 2.0
hellos when flag to support it is set.
|
|
|
|
* ingela/ssl/crl-validity:
ssl: Make crls valid for a week instead of 24 hours
|
|
|
|
* egil/percept/remove-application/OTP-14163:
ssl: Remove percept from benchmark
otp: Don't mention percept in documentation
runtime_tools: Remove percept
percept: Remove application
|
|
|
|
The PEM cache handling has proven to be too disruptive of the manager process.
|
|
If a handshake message is really big it could happen that the ssl
process would hang due to failing of requesting more data from the
socket. This has been fixed.
Also added option to limit max handshake size. It has a default
value that should be big enough to handle normal usage and small
enough to mitigate DoS attacks.
|
|
With the 24 option we might be unlucky and get failing tests just because
cert expired before the test is run.
|
|
|
|
* ingela/dtls/statem/OTP-12982:
ssl: Implement DTLS state machine
|
|
* ingela/ECC-tests:
ssl: Make sure common-test priv_dir is used for test case generated files
|
|
Beta DTLS, not production ready. Only very basically tested, and
not everything in the SPEC is implemented and some things
are hard coded that should not be, so this implementation can not be consider
secure.
Refactor "TLS connection state" and socket handling, to facilitate
DTLS implementation.
Create dtls "listner" (multiplexor) process that spawns
DTLS connection process handlers.
Handle DTLS fragmentation.
Framework for handling retransmissions.
Replay Detection is not implemented yet.
Alerts currently always handled as in TLS.
|
|
ECC certs should preferably use SHA2, this is what we want to be
testing. Also assembling of all available test suites must consider TLS version.
|
|
* ingela/ssl/tune-timeouts-packet_SUITE:
ssl: Change to more modest timeouts
|
|
We where never really satisfied with this workaround it was
a bit far fetched, so we are pleased to be able to remove it.
|
|
|
|
As per RFC 4492 Sec 5.1, the preferred order of selection of named
curves is based on client preferences.
Currently, the SSL application only picks entries according to the
absolute order of entries as tracked in a hardcoded list in code.
This patch changes things so that the client-specified order is
preferred. It also allows a mode where the server can be configured to
override the client's preferred order with its own, although the chosen
ECC must still be within both lists.
The configuration is done through the following options:
- `eccs`, shared by clients and servers alike, allows the specification
of the supported named curves, in their preferred order, and may
eventually support more values for explicit primes and so on.
- `honor_ecc_order`, a server-only option, is similar to
`honor_cipher_order` and will, by default let the server pick the
client-preferred ECC, and otherwise pick the server-preferred one.
The default value for `eccs` is the same as before, although the
server-chosen ECC now defaults to the client rather than previous
choice.
A function `ssl:eccs()` has been added that returns the highest
supported ECCs for the library.
|
|
This should be fine as timeout problem was due to test case
bug that treated a stream as if it was packet oriented.
|
|
|
|
* ingela/ssl/crl_SUITE:
ssl: Make sure test has correct input
|
|
Data collection function active_once_raw/4 did not handle streamed
data correctly (it assumed the stream was "packet oriented"),
which could result in that the test case perceived that
it did not receive all data even though it did.
|
